By default in RiskTree, countermeasures are either existing and proven (and affect residual risk), or they are not (in which case they affect the target risk only). However, it is often the case that a countermeasure is in place but you do not have full confidence in it. For example, a SIEM tool might have been installed and configured, but are you sure that it will detect an attack? Perhaps only once penetration or other testing is complete will you gain confidence.
This is where RiskTree countermeasure confidence can be used. By showing that you have less than full confidence in a countermeasure, the residual risk calculation will assign less weight to that countermeasure, giving it a lesser effect. You can therefore use the confidence values to help manage your risks and show how your risk levels change with improved assurance processes. As your assurance increases, so should your confidence in your countermeasures (unless the assurance process finds that a countermeasure is not as effective as you expected).
Countermeasure confidence has to be enabled via the Settings box. Tick the Set confidence levels for countermeasures box:
When you add or edit a countermeasure, if the Existing/proven box is ticked, you will be able to provide your level of confidence in the countermeasure by adjusting the slider control.
This is rated on a five-point scale, as follows:
You can also add a note to explain your choice of confidence level, by clicking on the button. This will appear solid ( ) if a note already exists.
If confidence values are enabled, they will be shown in an additional column in the countermeasure table, both as a percentage and as a coloured circle.
The confidence can also be shown on the countermeasure discs on the RiskTree. On the Countermeasures tab, click on the Options button and tick Show confidence colours.
In the example shown above right, the following countermeasures can be seen:
|3||Green||No confidence value set|
|4||Light green||75% confidence|
|9||Dark green||100% confidence|
If you have customized the colours used for existing and target countermeasures, then the colours for countermeasures 3 and 8 in the example above (i.e., countermeasures without confidence values) will be different from those shown in the table above. If you wish to set confidence values for countermeasures, you should avoid using the five pre-set colours for custom countermeasure colours.
The target risk assessment calculation sets the confidence for all existing countermeasures to 100%. This is on the assumption that your target should be to get full confidence in your existing countermeasures, as well as implementing your target countermeasures. This means that some risks can have lower scores for target risk than residual risk without having target countermeasures. This will be indicated by a blue information icon in the risk table.
You can calculate the target risk level without changing the existing countermeasure confidence levels to 100% in the RiskTree Processor, by unticking the Set any confidence levels to 100% in target calculation box in Advanced options.