The risk is defined as the combination of negative consequences (i.e. damage potential) and likelihood (i.e. attack effort). According to our preferred workflow (see Threat Analysis and Risk Assessment), the attack effort is assessed for threats and controls, while the damage potential is assessed for security goals. This means that something else is necessary to bring damage potential and attack effort together so that the risk can be calculated. We call this propagation.

Relations between Elements

Propagation means that the attack effort and damage potential are passed on to related elements according to specific rules. The following picture summarizes this well:

Propagation of Attack Effort and Damage Potential

Propagation of Attack Effort and Damage Potential

The relations explained:

depends on
Both security goals and controls can depend on other security goals. If the referenced security goal is broken, the security goal or control dependent on it is also broken.

threatened by
Security goals can be threatened by threats. The security goal is broken, if the threat is implemented successfully.

refined by
Threats can be refined by other threats. The attack effort of the root threat is a combination of the attack effort of the refining threats. This models an attack tree.

mitigated by
Threats can be mitigated by controls or assumptions. In order to implement the threat, the control must also be broken. Assumptions contribute a damping effect that is applied to referencing elements.

damped by
The damping effect of assumptions can also be applied to security goals directly.

All relations support complex expressions with operators. For example, a security goal can be threatened by two threats (T1 and T2) or (T1 or T2). The first case means that both threats must be implemented to break the security goal, while the second case means that the implementation of any threat is sufficient.

The damage potential is propagated along the modeled relation and the attack effort is propagated in the opposite direction. The operators and the kind of the relation are taken into account during propagation.

Propagation Example

Let’s assume that we have identified the asset “password” that is threatened by two threats: man-in-the-middle attack (T1) and social engineering (T2). T1 is mitigated by transport layer security (C1). The screenshots below show the raw data entered in itemis SECURE and the corresponding propagation graphs rendered by the tool.


The first graph shows that the attack effort to break TLS is propagated to T1 (man-in-the-middle attack) and combined with the attack effort for its implementation. This attack effort is higher than the attack effort to implement T2 (social engineering). Consequently, the attack effort of T2 is propagated to the security goal, as shown in the second graph, because an attacker would choose the easiest attack path.