In our system, adding a Threat to Risk does not automatically mean that all Vulnerabilities exploited by the Threat are associated with the Risk.  The following graphic breaks down the overall process for associating Risks, Threats, Vulnerabilities and Assets in ControlMap:

Detailing The Process

Let's consider THT-1: Phishing as an example.


An actor using THT-1:Phishing can exploit the following vulnerabilities:


1. VUL-1: Lack of awareness training 

2. VUL-2:  Weak authentication or lack of 2FA

3. VUL-3:  Lack of firewall 

For effective risk management and assessment, you must create a separate Risk for each combination of Threat and Vulnerability. 

Why? Because each combination of threat and vulnerability has a different impact, mitigation, and treatment option. Additionally, various departments or employees in your organization may be responsible for mitigating these risks.  Mitigating a firewall issue is very different from mitigating an awareness training issue.

For example, you create a risk called:

RSK-1: Risk of untrained employees falling prey to social engineering. 

Then the following combination of threat + vulnerability applies:

Threat -> THT-1: Phishing 

Vulnerability -> VUL-1: Lack of training 

In the case above, if you expect all vulnerabilities linked to THT-1 to show for RSK-1 automatically, it will be misleading.  For example, VUL-3: Lack of the firewall will not be the right vulnerability for RSK-1.