What is RiskTree?
RiskTree is a structured approach for risk management. Based on the concept of attack trees it provides a systematic way of capturing, evaluating and prioritising risks to your organisation and systems.
RiskTree’s hierarchical framework focuses on the goals and methods of the attacker. A RiskTree has a defined single root node which represents the ‘bad outcome’ (the ultimate objective of the attacker). It then models ways of achieving that outcome, which are shown as branches of the tree from the node. Additional information can be layered over the tree to show details such as likelihood or cost. Controls can then be evaluated for each possible branch.
Typically multiple RiskTrees are built to represent a number of attacker goals against the system being modelled, and these are then combined to provide an overall risk profile and clarifying a complex risk picture.
Here are some benefits of using RiskTree (attack trees):
The NCSC report highlights the importance of quantifying risk when using attack trees.
By assigning assessment values including Cost, Complexity, Reward, and Damage to each risk in a RiskTree, it’s possible to fully understand the likelihood and potential impacts of an attack.
For the values assessed financially, typically Cost, Reward, and Damage, using an order of magnitude scale works best.
This approach enables those responsible for risk to gain a clear view of their intrinsic risks and communicate this to their senior management teams.
Risk Mitigation Strategies
Once a RiskTree has been built and assessment values assigned, organisations can focus on developing appropriate countermeasures. By analysing the attack paths and identifying critical vulnerabilities, it is possible to prioritise resources to address the most significant risks.
Risk mitigation strategies can involve a combination of technical controls, such as implementing monitoring systems and using encryption, and non-technical measures like employee awareness programmes. The goal is to create layered defences that make it increasingly difficult for bad actors to exploit vulnerabilities, and to reduce the impact if they try. RiskTree clearly shows the effect of each of these countermeasures and provides a ‘before’ and ‘after’ view.
RiskTree also enables the user to perform ‘what-if?’ analysis and create a view of future risk. This allows users to forecast the impact and costs of mitigation strategies before actioning them, or to provide evidence of the impacts (typically reputational or financial), from a lack of action.
Continuous Risk Analysis
The NCSC guidance emphasises the need for regular risk assessments. Cyber threats are evolving, and new vulnerabilities emerge over time. Therefore, it is essential to reassess and update risks to ensure they remain relevant.
RiskTree is dynamic and adaptable. Unlike spreadsheets, RiskTree is easy to update and refine as new information becomes available or changes occur in the risk landscape. This iterative process encourages continuous improvement in risk assessment, allowing the risk analysis to be managed in real-time, in parallel with project management.
Collaboration & Communication
The NCSC calls for organisations to collaborate on risk — something the team behind RiskTree has advocated for years.
This is why RiskTree uses your business language and avoids technical jargon. This way, everything is clearly understood by technical and non-technical teams alike.
RiskTree provides concise visualisations to help stakeholders understand the risk scenario more easily and to facilitate communication between teams.
Reports can be shared as ‘read-only’ to keep everyone updated.
Read the NCSC’s guidance and find out more about using attack trees as part of your risk management strategy.
Only when you clearly understand the many risks facing your organisation, can you create a meaningful plan to mitigate them.
RiskTree provides a structured and visual approach to analysing risks, supports decision-making, and facilitates effective communication. RiskTree is based on decades of work in cyber risk at the highest level. It’s your route to a clear picture and purposeful plan.