Abstract. The CORAS security risk modelling language is a customised graphical language for communication, documentation and analysis of security threat and risk scenarios. This paper presents a semantics for the CORAS language. The semantics is structured in that it provides stepby-step instructions on how to correctly interpret an arbitrary CORAS diagram. The result is a readable paragraph of English. This enables users of the CORAS language to easily extract the intended meaning of a given diagram. The semantics is modular in the sense that the semantics of any diagram can be deduced from the semantics of its elements and relations.