Security testing and security risk analysis are key issues and central to strengthening the ability of companies to face the new security challenges posed by the future internet. We present a conceptual framework clarifying the notions of security testing, security risk analysis, and related concepts, as well as defining the relations among them. The conceptual framework is built upon established concepts from state-of-the-art standards. We focus on model-based approaches for security testing and security risk analysis and distinguish between model-based security testing (MST) and model-based security risk analysis (MSR). In particular, we present the two possible combinations of MST and MSR, which are risk-driven model-based security testing (RMST) and test-driven model-based security risk analysis (TMSR). The conceptual framework offers a basis for future research by providing a common understanding of the central notions within security testing and security risk analysis.