The root node for most RiskTrees will be a bad outcome. This is the goal of the attacker, and the action that you are working to protect against. RiskTree has been designed as a flexible framework, and as such you can create any bad outcome that you like. Some that we have found are particularly useful are listed here.
These are the outcomes that we have seen and used many times, because of their general applicability.
| Bad outcome | Description |
|---|---|
| Steal data | The attacker seeks to obtain data from the asset. Corresponds to the deliberate attacks in the Confidentiality space. |
| Data loss | This covers the attacks in Steal data, as well as the accidental loss of data. Corresponds to the Confidentiality space. |
| Tamper with data | The attacker deliberately alters data held in the asset to known, wrong values. Corresponds to the Integrity space. |
| Break system | The attacker deliberately attempts to degrade or destroy the operation of the asset. Corresponds to the Availability space. This tree is often also used to cover accidental failures leading to failure of the asset (e.g., fire at data centre), which involve the use of Hazard risks. |
| Corrupt data | The attacker deliberately changes data in the system. This differs from tampering with data in that the alterations are destructive (e.g., scrambling data, deleting data) and often lead to system failure. This can often been merged into Break system, as data corruption can lead to a system failing unexpectedly. |
| Financial loss | The attacker commits fraud, either directly from a value-bearing system by getting it to transfer money to them, or by acquiring financial advantage that will be charged back to the owner of the asset (e.g., stealing cloud computing capability that is paid for by the asset owner). |
| Damage reputation | The attacker performs actions designed to damage the reputation of the victim. These might be attacks that would fall into other trees described above, but the intent behind these actions is solely to cause reputational damage. |
These are some outcomes that we have used for very specific client situations.
| Bad outcome | Description |
|---|---|
| Compromise principle of hiding in plain sight | The attacker seeks to identify sensitive records in a large set that does not explicitly mark such records. |
| Identify staff working in specific function | The attacker seeks to identify the staff who work in a specific (usually highly sensitive) function or area. |
| Obtain genuine document fraudulently | The attacker seeks to obtain an official document through fraud. |
| Misuse system/asset | The attacker uses the system or asset for purposes for which it was not intended (e.g., looking up official records for personal use). |
This provides a non-exhaustive sample of the types of RiskTree that have been created – however, the only limit for this is your imagination.