A method operable in a computing device adapted for handling security risk can use taint accumulation to detect intrusion. The method can comprise receiving a plurality of taint indicators indicative of potential security risk from a plurality of distinct sources at distinct times, and accumulating the plurality of taint indicators independently using a corresponding plurality of distinct accumulation functions. Security risk can be assessed according to a risk assessment function that is cumulative of the plurality of taint indicators.