Based on the risk assessment, proportionate mitigations can be implemented to protect critical elements and ultimately to minimise the risk to a level acceptable to the related stakeholders. Risk treatment is performed in the same table as the risk assessment, using separate attributes dedicated for treatment and mitigation. To separate assessment from treatment, the table offers dedicated filter mechanisms in the top of the editor to "toggle" treatment and assessment columns.
By default, the table offers a column to select one or more treatment option. Depending on the selected option, further columns have to be filled in with additional information.
Toggle the "Risk Treatment" view in the assessment editor (and untoggle the "Risk Assessment" if you like)
Each row at least shows the threat/asset pair and the calculated risk/security level. Editing the "Treatment Option" of a row will offer 4 options.
"Avoidance" expresses that a certain system element, feature or function shall be avoided in the system due to unacceptable risk. Affected design elements can be referenced in the "Affected Design Elements" column
"Mitigation" expresses that dedicated security measures have to be considered in the design in order to mitigate the identified risk. Security measures and security requirements can be referenced in the "Measures" resp. "Requirements" columns.
"Acceptance" expresses that the identified risk is below the risk criteria of all affected stakeholders, and by that can be accepted as is. No further elements need to be referenced for this option, though a justification can be given in the "Justification" column as an argument for this treatment option
"Transfer" expresses that any identified risk is transferred to a 3rd party, for example by obtaining tailored cyber insurance. Depending on the risk level and the implied process and the identifying amount of coverage, the transfer may be expressed by dedicated security measures or requirements to underpin the complexity of the transfer.