This in in reference to the: Appendix_1_Risk_Assessment_Table_EN spreadsheet.
In preparation for filling in the Risk Assessment Table, I recognized that a particular asset say a "laptop" could have more than one threat, and by selecting any given threat there could be more than on vulnerability. How do you account for these multiple possibilities with each asset? the combinations seem like there could be many?
This is true - if you have one asset and e.g. 3 threats related to this asset, and e.g. 2 vulnerabilities related to each threat, you will have a total of 6 risks for one asset only. If you have 100 assets, this would be 600 risks in total.
You have to determine the impact and likelihood for each of these risks, and if the risk is unacceptable, you have to determine which controls to use to decrease such risk.
So with that said, lets assume I see 3 threats related to each asset and several vulnerabilities as well, do I list the asset multiple times with the different threat/vulnerability combination next to each listing? Or, is there a way to reflect multiple threat/vulnerabilies?