Feature Request - Risk Inheritance

Hey guys,

while implementing eramba in our organization, I faced a challenge I wanted to share with you. Maybe others have similar issues and this could result in a new feature.

The main problem I faced can be summarized to “Inherit risks (or risk score) to another asset”. Let me make an examples to make the situation clear:

Business Unit 1 is the owner of a SAP Application Server
Business Unit 2 is the owner of an Active Directory Server

The Active Directory Server is linked to the SAP Application Server because the SAP Application Server uses Active Directory for authentication.

So when I do a risk analysis on the Active Directory and I find a risk, it should be also displayed to Business Unit 1, because the SAP Application server is also exposed to the risk of the Active Directory.

So in other words, risk inheritance would be a nice feature. It would allow us to inherit the risk of asset to other assets that are linked.

Let me know what you think of this idea.

Thanks and regards

The way this could be implemented is by “suggesting” assets that hierarchically are above the one you originally selected, this would be shown on the asset filed:

when you add the other assets (you rather leave the ones we suggested) and save the risk the system does the same as always in terms of reports, etc.

this would require the asset related functionality to think in terms of hierarchies (which is not the case now).


your proposed approach using the Applicable Asset is a workaround for us, but unfortunately not very usable in the long term.

Lets take my sample from above again:

Business Unit 1 is the owner of a SAP Application Server
Business Unit 2 is the owner of an Active Directory Server

BU2 identifies 10 risks related to the AD Server and creates 10 different risks in the Asset Risk Management.

When BU1 tells BU2 that they use the AD too with their SAP Server, BU2 has to open all 10 risk scenarios and put SAP as Applicable assets which creates a lot of. As we are a quite big organisation with a lot cross referencing services, this makes a lot of work to handle.

Our idea of inheritence would work as follows:

BU1 put the related assets in the Asset Identification:

and Eramba would show all related risks to this asset in the asset risk management interface.

I hope I could explain my issue in an understandable way.