The RiskTree process brings a number of benefits to the risk assessment process. However, it is not a panacea, and the following points must be borne in mind.
By involving the business in the Risk Discovery Workshops, the language used to describe the risks and countermeasures is intelligible to the business. RiskTree moves away from risk assessments that use arcane, technical descriptions of risks that seem designed to exclude people who aren’t risk practitioners.
The RiskTree approach is structured around understanding how a bad outcome can be achieved. The tool includes templates that help by reusing existing knowledge; these are then adapted during the risk workshops to give a view of risk that is tailored to the client and their systems. The systematic approach used by RiskTree avoids leaving gaps in the analysis and helps to develop a full view of system risk.
The RiskTree process is repeatable. Getting a diverse group of people to assess and prioritize risks has traditionally been a highly subjective process that would lead to different results if repeated. When using RiskTree, the evidence for the assessment values is captured by the software as part of the risk assessment. This allows the rationale for decisions to be understood later, by those who weren’t at the workshop.
One of the most powerful effects of the Risk Discovery Workshop is getting people with a stake in the system to talk. The discussions about risk often uncover information that was thought to be known by the participants, but wasn’t. This is an additional advantage of the systematic approach taken to assembling the trees.
RiskTree files can be processed singly or together. On their own, they will give a view of the risks for that tree. When aggregated together, they will give a high-level view of the risks across multiple trees. If therefore follows that if multiple systems’ files are aggregated, a view of the risks will be given spanning those systems, with the risk levels being recalculated in the context of all of the trees. This is probably easier to demonstrate than explain!
No sensitive information is sent outside your organization by RiskTree. The software principally runs within the browser, with just the calculations being performed in the cloud. Only numeric data, with no information about the risks to which they pertain, are sent – encrypted using TLS – to the cloud system. The results and returned, and the browser reassembles all of the data to provide meaningful output. A further, more detailed paper on RiskTree security is available on request.
The RiskTree process aligns well with agile development. The trees can be developed in an iterative fashion, with more detail being added over successive passes. This contrasts with other risk assessment processes that require all of the information to be present, ready for assessment in a single ‘big bang’. That said, RiskTree can and has been used with other development approaches, and also for reassessing operational systems.
The National Cyber Security Centre has published a set of principles for the management of cyber security risks. RiskTree meets all of these principles, and we can provide a separate paper that explains how.