Risk Treatment

CycurRISK provides an overview of the risks on the "Risk Treatment" page. One risk is computed for each threat scenario, where the AFR is taken from the linked threat, the impact is taken from the linked damage scenario, and then the risk value between one and five is computed as specified in the Risk Assessment and Treatment.

When you click Expand all, you can see the risk for each threat scenario in the column called "Initial risk." Based on the above computation, you will get a risk value for each threat scenario and you need to make a risk treatment decisions.

A risk treatment decision for a given risk is one of the following.

• Reduce
  The risk is reduced by means of a technical measure specified in one or several security goals, which must be linked.
• Share
  The risk is shared with or transferred to one or several other parties. At least one corresponding security claim must be formulated and linked.
• Retain
  A reasoning must be given whenever a residual risk greater than one is accepted. Security claims and goals shall be linked.
• Avoid
  The risk is avoided by removing the risk sources or deciding not to start/continue with the activity that gives rise to the risk. Notice that this often leads to a change in the target of evaluation, which in turn eliminates the corresponding risk from the final version of the TARA.

The risk treatment decision is made in the TARA and can be updated or supplemented for the RRA. A typical case would be that the decision reduce is made for the TARA, and once appropriate measures have been implemented, the risk is additionally retained in the RRA.