Basic Operations

This help file is intended to give you some basic hints as to how to use the interface. If you are completely unfamiliar with the program, you may want to watch the video demo first. Read Getting Started to learn more about using the toolkit for Risk Assessment.

Screen Layout

The screen is divided into two main sections, a structural tree view on the left hand side, and a reporting / data entry view on the right.

The divider between these two sections can be dragged with the mouse to allocate a greater proportion of the screen to either one of these areas.

The Left Hand Tree View

In the structural tree view on the left, you will create, organize, and find things. Items on this side with a + or - in a box next to them can be expanded for greater depth or collapsed to hide detail. Right clicking on any item on the left will display a context menu which will allow you to create additional items, delete items, or rename them.

You can also drag and drop items on the left hand tree view to re-organize them or associate them. For example, you can drag an Activity to associate it with a different part of the organization, or a different location. You can also drag a Threat to move it with a different Threat Category, or to associate it with a Location, Activity or Resource it threatens.

The Right Hand Page View

On the right hand side you can view reports and enter additional information about the item that is selected in the left hand tree view.

Treat the right hand side as you would a web page: links on the page allow you to add or edit data, or will navigate to a different item.

If some text is shown in red, then it indicates that either some necessary information is missing or that there is an inconsistency in the information provided.

Selected data may have an Copy to Clipboard button below it. This allows you to copy the table to the Windows Clipboard for insertion in other documents.

The Action Pane

On the very right of the screen are a series of buttons which allow you to print or print preview the page currently being displayed, or to access the Getting Started guide, the Help Index, or help on the currently displayed page. As this help information is constantly being updated and improved, this information is kept online and you will need an Internet connection to access the help files. The help information will be displayed in your default web browser.

The Main Menu

The File menu lets you open an existing analysis, create a new analysis, or save the current analysis.
The View menu contains some useful shortcuts for accessing the top level items on the left hand side tree view.
The Tools menu contains commands intended to help you with your analysis: you can load a set of common threats, or view a list of guide words to help you identify new threats.
The Help menu provides help, displays registration and purchasing information, a check for updates function, and program version information.

Where Next?

After reading this, you may wish to read Getting Started if you haven't done so already.

Once an organization has identified a risk, it needs to decide what (if anything) it is going to do about it. This is called its Risk Strategy. The extent to which an organization is prepared to accept a risk is its Risk Tolerance.

The common options are as follows:

Risk Acceptance. Do nothing or effectively self-insure against the risk. This is the default strategy if you do nothing. It is also an appropriate strategy if you are a large company with lots of resources and the impact of the risk is comparatively small. Governments frequently self-insure many risks as they are sufficiently large to absorb any potential losses and this saves on the difference between insurance premiums and expected losses.
Risk Transfer. The most common example of this is insurance (paying another company to take the risk), but other examples include joint ventures (which share the risk) and contracting out operations (which transfers the risk in exchange for potentially higher costs).
Risk Avoidance. Change the process or procedure so that the risk is eliminated.
Risk Mitigation. Adopting changes to operations and procedures or adding additional controls or training to either reduce the likelihood of a threat occurring, or to reduce the impact of the threat when it does occur. Business Continuity Planning — pre-planning what the organization will do in the event of an incident — is sometimes regarded as a risk mitigation strategy in itself.

In the Risk Assessment Toolkit, the risk strategy is recorded with each Threat to [Item], and displayed in the Risk Register. Management should check the risk strategies identified in the Risk Register to ensure that they match the organization's Risk Tolerance.