Risk analysis

Our quantitative, objective and reproducible method

Circle Networks' “Surface” method for risk assessment is an evolution of attack-defence tree analysis in a sense that it replaces the course and arbitrary valuation of vulnerabilities with a resilient, quantitative structure and facilitates the creation of solution concepts as cost-effective combinations of counter measures. The method fulfills the requirements of standards NIST SP 800-39 and ISO-27005.

Read the white paper

Title page and sample page of white paper on Surface

Initial creation

Attack trees

The numeric algorithm allows a gradient assessment of risks and possible counter measures and analyses their effect along the attack tree. Different scenarios can be compared in a reproducible way and the results can be visualised in a comprehensible manner, or summarised in a risk matrix at the end when desired. The “Surface” method thus creates a tool for structured, formalised product development in information technology — whether software or hardware — but also for monitoring any kind of system, plant, or infrastructure.

Continuous monitoring

Scenarios and Changes

Changes to the situation can easily be assessed. In case new vulnerabilities are discovered, their effect on the system that is to be protected can directly be evaluated by adjusting the corresponding parts of the model. In parallel, new counter measures can be identified or activated. The various cases can be maintained in a single model and can easily be compared using scenarios. Therefore, the model is particularly suitable for continuous risk assessment.


Dependable application

The “Surface” method makes risk assessment

  • structured, by identifying vulnerabilities along the attack trees and allowing to assess completeness of the analysis,
  • reproducible, by supporting continuous and automatic repetition of the computations,
  • objective and disputable, by recording each individual valuation of vulnerabilities and effectivenesses and supporting their adjustment upon the availability of new information, and
  • verifiable, by providing information on the sensitivity of the results to initial, arbitrary valuations and thus on the plausibility of the final outcomes.

Circle Networks is happy to do your risk analysis or to support in applying the Surface method yourself.

The first step to controlled risks

Get in touch to discuss your specific use case.

Phone us, or send us an email