The table below suggests how the RiskTree assessment values can be applied. Please note that this is for guidance only, and is not intended as a rigorous set of statements. In practice, you should remember that risk is inherently subjective, and the key purpose of the assessment values is to show relative levels for each of them (i.e., how much attacks would cost, relative to each other). RiskTree will not accept fractional values, and so if a risk value is assessed as being between two levels the workshop must decide whether to go up or down to the nearest whole number.
The most important aspect of assigning the assessment values is that the process is consistent between workshops, and that consensus is achieved between those attending the workshops.
The assessment values can be summarized as follows:
Attacker values | |
| Cost | The monetary cost to the attacker of performing the attack (which can include the effort/time expended) |
|---|---|
| Complexity | The complexity of performing the attack. This should consider the knowledge of technologies, tool, and of the victim organization that would be necessary. |
| Consequences | This combines the likelihood of detection together with the likely sanctions against the attacker. If there is no risk to the attacker, even if detected, then this will be 1 (as it will not be possible to apply sanctions); for example, a hacker operating from a jurisdiction from which they cannot be pursued by the UK authorities. |
| Reward | The benefit to the attacker of performing the attack. This could be monetary, but other concepts should be considered. For example, kudos in the hacker community. |
Hazards | |
| Likelihood | For risks that are defined as Hazards (e.g., floods, lightning strikes, power failures, etc.) it is not possible to assign attacker values as there is no attacker. In these cases, a single value is provided that assesses the likelihood (or probablility) of the hazard occurring. |
Victim values | |
| Damage | The loss to the victim. As well as direct monetary losses through theft, this could include fines imposed (e.g., for loss of personal data), and the cost of investigating and remediating the attack. |
| Replay | The number of times the attack could be replayed against the same victim, not necessarily by the same attacker. A single DDoS attack counts as one attack, even though millions of computers could be involved. Phishing attacks should be rated by the number of successful phishes. |