Modern enterprises are facing more and more uncertainties and challenges from insecurity and context sensitivity. In view of information security, an enterprise is considered as a collection of assets and their interrelationships and how users use their rights to access the enterprise. These interrelationships may be built into the enterprise information infrastructure, as in the case of connection of hardware elements in network architecture, or in the installation of software or in the information assets. As a result, access to one element may enable access to another if they are connected. An enterprise may specify the conditions on how to access certain assets in certain mode (read, write etc.) as policies. The interconnection of assets, along with specified policies, may lead to vulnerabilities in the enterprise information system if misused. This paper presents a formal methodology for detection of vulnerabilities and threats to enterprise information systems.