We have observed two different ways of thinking about Risks: if damage is in the focus, people prefer to define Risks based on Security Goals, if attack paths and likelihood is in the focus, people prefer Threats. We think that it makes sense to have one Risk for several related elements so that reports become more clear. It depends on your use-case how you define a Risk.
Leave A Comment