An overview of the RiskTree® process


RiskTree is a business process that is supported by on-line, cloud-hosted software-as-a-service. This software allows the risks to be described and related in an attack tree format, and saved using a standard XML notation. It then performs the risk analysis and prioritization, and generates a sorted risk table for review. Countermeasures (also known as controls) can then be applied, and their effects viewed on both the tree and the risk table. Integration with Microsoft Excel is provided, allowing risk registers to be automatically created from the RiskTree data.

RiskTree is being used by both the public and private sector, and is a tried and trusted method for information risk management. 2T Security provide training in both the process and the software, with the intent to leave our clients with the skills to manage their risks in-house, using the software.

A typical engagement will involve one to two weeks of consultancy time, during which we will understand your requirements and train your staff in the process and the use of the software. This will involve 'train the trainer' style sessions, initially with us facilitating risk identification workshops. We will then hand over to your staff, and help them process the output into intelligible business information using our RiskTree software. You then subscribe to the software, whilst we can continue to provide help and support if required after the end of the initial on-site consultancy time.

Process overview

The process for generating RiskTrees is shown in the diagram below.

RiskTree process overview diagram

The RiskTree Processor handles trees with and without controls applied, and so can be used to give a view of intrinsic risk (at the very start of a project), and residual risk (once controls have been planned); this allows the effect of the controls to be demonstrated.


The RiskTree Designer software allows creation of the trees within the browser environment. This can be done during the workshops, or as a data-capture exercise afterwards. The tree is built quickly and efficiently, and can then be submitted to the on-line service for secure assessment.

The RiskTree Processor analyses the risk data and generates a prioritized table of risks. The default is that this is sorted on a traditional six-point scale (Very High - Very Low), but a configuration tool allows this to be modified to suit your own requirements.