To be developed
Which adversaries are motivated and skilled enough to reach through which routes to affect your assets with what impact?
In most situations this will give you a very large combination of possibilities:
Number of Threats x Number of Routes x Range of Impacts
This will only get more as we start adding possible security plans.
To start with, pick the top threats, the main routes, and the most valuable assets and prioritise those.
As you develop the detail of your security risk assessment you will need to manage this information, probably in a database rather than a spreadsheet as these can get unwieldy.
Bear in mind that this database itself is an asset, and it can be used to discover the vulnerabilities in your systems - this is, after all, what you are using it for. It too must be included in your asset register and your risk assessment.
For the first assessments you can focus on direct, simple attacks where the adversary attempts to ‘break in’ and affect an asset using one technique.
In practice adversaries are likely to work more slowly and more piecemeal; they might attack the office network to steal some information about your developer network, then use that to persuade developers to reveal some information about the software used, then use that to insert some malware into an open-source software library being used.
This complicates the “assets impacts and residual risks”, because adversaries might attack low-impact assets to get information to reach high-impact assets.
While you can largely ignore this on the first pass, you should have a placeholder in your risk assessment to work out attack chains as courses of action that are complex attacks.