On your tutorial vimeo page in the "06 How to implement risk treatment" video, you showed an example (see screenshot attached) in which you listed 2 separate lines for: the same asset, with the same threat, but with 2 different vulnerabilities.
Would it not make more sense to list this under 1 line?
That way there is 1 asset, 1 threat, 2 vulnerabilities and 2 controls.
I ask this because for some of our threats, we have 5-6 vulnerabilities and 5-6 controls to mitigate them. should we split this to different lines or is it okay to have multiple vulnerabilities, with multiple controls, and multiple assets - within 1 line?