The heart of building a good RiskTree is the Risk Discovery Workshop. This brings together key people with knowledge of the asset being assessed to collaboratively build the RiskTree. The workshop needs a facilitator together with people who understand the asset. For an IT system, this would be the technical architect and the business process owner (or equivalents). Experience has shown that the most effective workshops use a small group of people, rather than having a large number of attendees. Large groups tend to lose focus and the discussion can head off on tangents.
The first thing to identify is the bad outcomes that an attacker would want to occur, and which you want to defend against. Once you have these, the workshop should address each in turn, completing the RiskTree for each before moving on to the next. RiskTree is an iterative process
It is important that consensus is reached between the workshop attendees when assessing the risks and assigning the risk assessment values. By the very nature of risk, there is no right answer, and the final choice will be the subjective opinion of those present.
When you are building a set of trees with different bad outcomes for a single system, it is very important that the risk assessment values are considered consistently between the trees. For example, if a loss of £500,000 is scored as a 5 in the Break system tree, but as a 6 in the Steal data tree, then the overall assessment will not be able to calculate the risks in a consistent manner. If you are expecting to compare risks across different assets then you will need to ensure that these are all scored consistently. One of the best ways to ensure consistency is to create a crib sheet for the six assessment values, setting out definitions for the different values for each. An example of this for the Damage assessment value could be:
| Damage | |
|---|---|
| 1 | Negligible |
| 2 | £100 |
| 3 | £1,000 |
| 4 | £10,000 |
| 5 | £100,000 |
| 6 | £1 million |
| 7 | £10 million |
| 8 | £100 million |
| 9 | £1 billion + |
It isn't necessary to create a definition for every possible value; just enough to enable a consistent view to be taken in the workshops.