Risk Types

Intrinsic risk, sometimes known as native or inherent risk, is the level of risk to which the asset or system would be exposed in the absence of any countermeasures. For example, if a database is encrypted, the encryption is a countermeasure and the intrinsic risk will be assessed without taking the encryption into account. In RiskTree, the intrinsic risk for attacks is calculated using the six risk assessment values that you set for each risk, as represented by the end nodes of the tree. Natural hazard risks use three assessment values.

Residual risk is the level of risk that remains once the effect of the countermeasures that exist is taken into consideration. Countermeasures modify one or more of the assessment values, and the cumulative effect of all of the countermeasures that affect a risk is used to calculate the residual risk level. We refer to these countermeasures as residual countermeasures. By default they are shown as green circles ●.

Target risk is the level of risk that you could potentially get your asset or system to if further countermeasures were applied. These countermeasures can be used if you have residual risks that are still above tolerance; you can try applying these extra countermeasures to see which gives the best risk reduction and therefore might be a sensible action to take. They can also be used to perform 'what if' analysis, to determine which might be most useful. These are termed target countermeasures. By default they are shown as blue circles ●.