Voice over IP (VoIP) technology has been aggressively deployed for the last one year in several enterprises and it is estimated that by 2006, the deployment of IP phones is going to exceed the PSTN phones. This high level of interest is based on reduced long distance cost and ease of management. But, there are substantial issues in the Quality of Service (QoS) and security of the IP telephony. IP phone threat levels, user behavior and experiences are different from data-specific applications like email. We have formalized the sequence of attacker actions in an attack graph and analyzed the risk level of a VoIP Network Element (NE) based on a given threat. These attack graphs can be used for representing structured elaboration of events that must occur for a successful intrusion and subsequently for formal analysis of intrusion detection. These attack graphs are transformed to vulnerability graphs using Bayesian networks. The vulnerability graph gives the probability of an attack, hence enabling us to measure the risk-level of a NE. The initial probability of an event in an attack graph is obtained by analyzing the traffic pattern of the VoIP network. To compute the risk, we have formulated an analytical model that performs vulnerability analysis and risk mitigation. This model helps us in analyzing multiple threat levels thus producing more accurate results when compared to the other Bayesian inference tools that are limited to analyzing single threat level. We believe that our work can be used for penetration testing and patch management of VoIP networks.