All critical elements in the system have to be protected against threats, identified during the Threat Identification. A risk assessment is used to systematically comprehend the nature of risk and to determine the level of risk, and finally to compare the results of the risk analysis with certain risk criteria during Risk Treatment to determine whether the risk and/or its magnitude is acceptable or tolerable.
Risk Assessment is performed, maintained and thus documented in dedicated Risk Assessment tables. There can be multiple assessment tables in a project, technically even for the same set of threats. To create and fill an assessment table you have to:
Select a package that is designated for risk assessment and use "New | Threat Assessment" to create an assessment table. The table is initially empty.
There are two supported ways to fill a risk assessment table, the fastest way is to drag and drop a complete Threat Collection to the assessment table. Any identified threat / asset pair that is marked as "To Be Assessed" and that is not yet in the assessment table is automatically added. Likelihood level and parameters are copied to the assessment if available at the threat.
Threats can be also dropped individually to the assessment table. In that case the "To Be Assessed" flag is ignored. If a threat is referencing multiple assets, a row will be created for each threat/asset pair.
As an alternative approach, the "+" button in the table can be used to create new entries in the assessment table. For new entries the to-be-assessed-threat as well as the affected asset have to be selected manually. This approach requires more clicks and more effort to fill the table, however, the user has ultimate control to create dedicated threat/asset pairs to be assessed
Each entry combines the threat/asset pair with additional columns for likelihood (parameters and level) as well as severity (parameter and level) and finally a security or risk level.