With the increasing number of cyber-attacks on cyber-physical systems, many security precautions and solutions have been suggested. However, most of these solutions aim to prevent the access of an adversary to the system. Though, with the increasing number of elements used in a system, and thus vulnerabilities, it is essential to study the risks introduced to the system to make the system itself efficient enough to react to the attacks once an attacker has obtained access. Analyzing and discovering the risks is the first step to making the system more resilient. This paper proposes a methodology that combines the qualitative risk analysis with formal methods (model checking) to identify the risks that were not recognized during testing or functional modeling phases. To examine this methodology, a car reservation system is modeled with an attacker, and then its security properties are verified using UPPAAL model checking tool. As a result, some risks were identified and tested for the possibility of them occurring and their effects on the system.