Zie,
As Esteban mentioned, liabilities are risk magnifiers. They are used to highlight the inherent risk involved with a particular asset. For example, if your organization has to be PCI compliant, you might create a PCI liability. If you apply that to all assets involved in your cardholder data environment, it will increase the risk calculation related to those assets. As a further example, You could use this to increase risks for things that are more critical to your PCI compliance initiative… the lack of enduring protection might be risky for all assets, but is more risky for PCI scoped assets.
Examples of liabilities could be things like compliance requirements (ie, PCI, SOC, SOX, etc.) our contractual requirements (say a contract requirement with a key client/vendor).
Personally, I don’t use liabilities. I simply take the “liabilities” into account as I rate risk. Also, I create assets around known liabilities… “servers” vs “servers - PCI”. Not sure if this is the best solution, but it’s always worked for me.
I hope this helps.