by Tony Badsey-Ellis
Traditionally risk assessment has been one of those chores that needs addressing annually. Someone flags that it’s been a while since the assessment for a system was completed, and with a sigh the assessment is dusted down and someone is assigned the task of revising it. This ticks the box and makes the problem go away for another year – but does it really give you an insight into your system security?
The benefits of using attack trees
Attack trees allow you to build a structured model of your risks. These can be quickly and easily updated as changes are made to the system being assessed. Rather than being an unwelcome annual process, updating the risk assessment becomes part of the day-to-day process. If you’re building a new system, it will integrate with project management, creating a virtuous circle in which new mitigations can be suggested by the assessment and fed into the development plans – with the assessment then reflecting the reduction in risk that then occurs.
Unlike some other risk assessment approaches, an assessment built using attack trees isn’t a monolithic creation that needs to be started again – in some cases almost from scratch – if a change is required. Adding a new risk to an attack tree is quick and easy, and reassessing the risks will be too.
Using your business language
The framework offered by attack trees empowers you to model any types of risk. You are no longer confined to a predetermined list, and you can express the risks in your organisation’s language. Attack trees eliminate the need for pre-canned risk statements, making your risk assessments comprehensible to more than just your risk team.
The structure of an attack tree shows how risks relate to one another. Similar risks group into branches of the tree. This can also suggest other areas in which some of the existing risks might apply, thus revealing more risks previously unrecognised.
You can work with attack trees in a variety of ways. Just sketching them out on a whiteboard can be a quick way to get started, but once you get into them you’ll be looking for an easier way to hold the data than a set of photos of whiteboards. That’s where RiskTree comes in. It’s a complete toolbox for building attack trees and assessing your risks, from concept to report. By gathering all of the information together electronically it lets you conduct data-driven risk analysis.
Capturing the detail for accuracy and compliance
The RiskTree Designer tool enables users to create attack trees using an internet browser. It provides a full suite of functions that allow for copying, pasting, annotating, and editing sections of trees. Collecting detailed information about risks.
RiskTree Processor combines one or more trees to generate a prioritized list of risks. These risks are presented as part of a risk assessment report, along with a selection of detailed charts and graphs that provide a unique way to explore risks.
Once users become familiar with the process, they can customise their risk levels, map their countermeasures to standards such as ISO27001 and NIST 800-53, thereby creating their own libraries for reuse across attack trees.
Read the NCSC’s advice on attack trees here.
For further advice on cyber risk please contact us here.