How to Implement Boolean Logic in RiskTree

Implementing Boolean logic in RiskTree

by Tony Badsey-Ellis


What is Boolean logic?

Boolean Logic is a form of algebra that is centered around three simple words known as Boolean Operators: “Or,” “And,” and “Not.” These Boolean operators are the logical conjunctions between your keywords in a search to help broaden or narrow its scope.


Wondering how it works with RiskTree?

If you’re wondering how to implement Boolean logic in a RiskTree and haven’t been able to find this function in the tool. This guide will explain how to do it, and why it isn’t an explicit function.


In a nutshell, all nodes in an attack tree default to ‘OR’ behaviour. In other words the assessment is for each risk independent of the others. But sometimes you might want to implement ‘AND’ logic. Where two risks occur together for the attacker to succeed.


Example micro-tree

Example of the need for the AND Function

In the micro-tree above, we are concerned about data theft.

On the left side, an independent attack involves the theft of hard drives. However, the middle and right-hand attacks must both take place in order for the risk to become a reality. This is because simply stealing the credentials does not grant the attacker access to any additional data. In order to copy the data, the attacker must first steal the credentials and then log in. These attacks are therefore interconnected and both need to happen for the AND function to be activated.

RiskTree doesn’t support the AND function for pairs of risks. This is because it makes the trees more complex to understand, which goes against our objective of making RiskTrees intelligible to non-technical, non-risk experts. It’s also because risk is subjective, and depending on how you use RiskTree, the way to combine assessment factors might differ.


Considering risks individually and in combination

This doesn’t mean that you can’t handle this type of function. In part, it depends on whether the separate risks need to be considered individually as well as in combination. In the example shown above, if you want to have the ‘Steal credentials’ and ‘Log in and copy the data’ risks as well as them being combined, the approach that we’ve used is to add a fourth risk of ‘Steal credentials, log in, and copy the data’ – this is, in effect, the ANDed risks broken out separately. When you assess this fourth risk, you can take the assessment values of the two component risks into consideration.

You might have assessed the complexity and damage as follows:

Risk Value Evidence
Complexity Damage
Steal credentials 3 1 The credentials have little value on their own
Log in and copy the data 5 5 The data set is very valuable


Just trying to log in to obtain the data is very hard to do, which is why the Complexity score is 5. But if we have the credentials this will be much easier, so the combined risk Complexity score will be a 3 (the complexity of stealing the credentials). The combined risk will have a Damage of 5, as the value of the data lost will be the same whether the credentials have been stolen or not.


Understanding Blended Risk

There’s no ‘standard’ way for the system to know how to blend the assessment values from two combined risks. So, we’ve decided to let our users just add a combined risk manually. You can then assess the factors, based on the factors for the individual risks as described above, using your knowledge and experience to blend them. If necessary, you can even delete (or just hide) the individual risks if they are no longer needed but have acted as a steppingstone to understanding the blended risk.



We’ve hidden the original ‘Log in and copy the data’ risk as we have decided that a user couldn’t just do this without having stolen the credentials.


If you need further help implementing Boolean logic in RiskTree, or general risk advice please contact us here.

Learn more about our approach to cyber risk here.