Every countermeasure in IriusRisk will have an associated risk, priority and cost. These are important metrics for IriusRisk users as they allow them to analyse countermeasures more profoundly, ultimately allowing them to have a deeper understanding of the impact this countermeasure will have for the threat model.
IriusRisk automatically calculates the countermeasure priority based on the associated threat with the highest risk. This calculated value can help give users a better insight into the governance of how important this countermeasure is to implement. Since version 4.2, this priority can be overridden manually. To distinguish between the two types, IriusRisk displays the word "Calculated" next to the priority rating for calculated priorities:
This support article will provide a deeper understanding of priorities for countermeasures.
The cost is a variable for each countermeasure that will equate to the level of effort required to implement the particular countermeasure. This cost is subjective and dependant, however a user may measure implementation costs in different ways i.e. hours to complete implementation, resources needed for the implementation etc.
Cost is measured in three states; Low, Medium and High - Each respective state allows users to distinguish the cost required to implement a countermeasure:
Furthermore, IriusRisk will automatically generated the cost for each countermeasure, however users can intervene and edit this to their preference.
The risk associated with a countermeasure can be viewed from querying this API endpoint.
The numerical risk value returned in this response originates from the highest risk threat associated with that countermeasure. Furthermore, a single countermeasure could be assigned to multiple threats. The countermeasure’s risk is just taken from the highest risk of all of those threats.