Efficient risk assessment requires automation of its most tedious tasks: identification of vulnerabilities, attacks that can exploit these vulnerabilities, and countermeasures that can mitigate the attacks. E.g., the attack tree generation by policy invalidation approach looks at systematic automatic generation of attack trees from a socio-technical model of an organization. Attack trees succinctly represent the ways to attack the system. They are useful for identifying the most dangerous attacks, and can be explained to the stakeholders. We now propose a technique to generate attack-defence trees from a socio- technical model. Generated trees incorporate not only attacks, but also defences already present in the system. Furthermore, they can be further used as a basis for risk treatment.