Find out more about RiskTrees, how to make them, and how to use the RiskTree Designer and Processor. Key pages are highlighted below.
In place of the formulaic risk assessment approach set out in the Government IS1&2 process, RiskTree analysis is a more free-form approach (but which is still structured and methodical) that focuses on the goals and processes of the attacker. A RiskTree has a defined 'bad outcome' (the root node), which is the goal of the attacker. It then sets out different ways of achieving that outcome, which are shown as branches of the tree from the root node. Additional information can be layered over the tree to show details such as likelihood or cost. Controls can then be evaluated for each possible branch.
Questions and answers about RiskTrees and the RiskTree tools provided in this system.