Click on the sections to read more
2T Security has developed RiskTree as a structured approach for risk management. Based around the well-established concept of attack trees, RiskTree provides a systematic way of capturing and prioritizing the risks to your business and systems. It presents its results in an easy-to-understand format that integrates well with existing business processes. Attack trees are a well-known approach to risk assessment, looking at the risks from the perspective of an attacker and constructing tree structures that show the relationships between different risks. This allows the risk profile of the asset to be easily explored, even by people who haven't been involved in the assessment.
There are a number of business benefits to using RiskTree:
RiskTree has already been deployed by clients in both the public and private sectors. One client has replaced their previous information risk management processes completely, and is already seeing the benefits of the RiskTree approach from better business engagement, end-to-end lifecycle support for security from projects, and more comprehensive risk registers – all leading to better assurance.
A number of UK Government Departments are using RiskTree, and we have also created a bespoke version for one department that needed it as part of a major new programme of work.
The RiskTree software allows creation of the trees within the browser environment. This can be done during the workshops, or as a data-capture exercise afterwards. The tree is built quickly and efficiently, and can then be submitted to the on-line service for secure assessment. No sensitive data ever leave the client environment as part of this assessment.
RiskTree reports can be created using attack trees with and without controls applied, and so can be used to give a view of intrinsic risk (at the very start of a project), and residual risk (once controls have been planned); this allows the effect of the controls to be demonstrated. The Processor analyses the risk data and generates a prioritized table of risks. The default is that this is sorted on a traditional six-point scale (Very High - Very Low), but a configuration tool allows this to be modified to suit your own requirements.
Workshops bringing together relevant staff from across the business identify the risks to the asset through the structured process of building a RiskTree.
Workshop attendees consider various factors of the risks and countermeasures on the RiskTree through an iterative process to achieve consensus.
The RiskTree software takes the workshop output and generates a prioritized list of risks. The Processor can blend multiple trees together, either for the same or different assets, and generates charts and writes the risk assessment report.
The RiskTree output can be used directly as a report, have recommendations added, and be shared with colleagues in an interactive format. Data from the output can be copied into other reports, downloaded into Excel for use as a risk register, or transferred into a Confluence-based RiskWiki for a complete risk management solution.