Threats Manager Studio (TMS) includes an interface called Overview Dashboard, which provides a comprehensive view of the risks identified for the analyzed Solution and how to fix them.

The Overview Dashboard.

The dashboard is split in six quadrants:

  • The upper leftmost quadrant shows the identified Threat Types by Severity. It is built calculating the Severity for each Threat Type as the maximum Severity assigned to the associated Threat Events. This pie chart essentially represents the current status of the risks for the analyzed Solution.
  • The lower leftmost quadrant shows the status of the identified Mitigations. It considers the Threat Event Mitigations, that is the Mitigations associated to Threat Events. This means that a mitigation “Apply strong channel encryption” applied to 10 different Threat Events would count as 10. This pie chart allows to understand the Mitigation coverage and may be used to demonstrate that the Development Team did a great job, by including a significant percentage of the Mitigations.
  • The upper central quadrant shows the calculated Residual Risk after the various phases of the Roadmap. This is the same chart already discussed in the Roadmap page, so please refer to that explanation if required. This chart allows to get an idea of the impact of each phase of the Roadmap and to understand when the Residual Risk may be considered acceptable.

Ultimately, the responsibility to accept or not the Residual Risk lies on the Owners for the analyzed solution. This page does not provide any guarantee and is only intended to provide a visual representation that shall be validated by the Owners.

  • The lower central quadrant shows the list of Mitigations split in the three phases of the Roadmap.
  • The upper rightmost quadrant shows the projected estimation of the Residual Risk after each phase of the Roadmap. Use the left and right navigation buttons to move between the various phases. This quadrant may be useful to answer the question about the distribution of the Severity after each phase, and is particularly important when compared with the upper leftmost quadrant.
  • The lower rightmost quadrant shows two tables: the upper one lists the worst five Threat Types, while the lower one lists the best five Threat Types. The first table can be used to understand what we may need to focus on, if we prioritize the most severe issues. On the contrary, the second table can be used to identify where the Development team has done better. Both lists are ordered using the Severity of the Threat Type, again calculated as maximum severity of the associated Threat Events; then they are ordered by Weight. The Weight is calculated summing up the IDs of the Severities assigned to each Threat Event associated to the Threat Type: this allows to sort correctly different Threat Types, because it takes in account how spread and how severe they are.