Merge pull request #241 from CERTCC/feature/fix_185

Address time-sensitivity of some decision points
CERTCC · Jun 21, 2023 · df93def · df93def
2 parents 37944fc + 0353d73
commit df93def
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/doc/md_src_files/030_representingInformation.md b/doc/md_src_files/030_representingInformation.md
@@ -3,7 +3,13 @@
 # Representing Information for Decisions About Vulnerabilities
 
 We propose that decisions about vulnerabilities—rather than their severity—are a more useful approach.
-Our design goals for the decision-making process are to clearly define whose decisions are involved; properly use evidentiary categories; be based on reliably available evidence; be transparent; and be explainable.
+Our design goals for the decision-making process are to 
+- clearly define whose decisions are involved
+- properly use evidentiary categories
+- be based on reliably available evidence
+- be transparent
+- be explainable
+
 Our inspiration and justification for these design goals are that they are the features of a satisfactory scientific enterprise [@spring2017why] adapted to the vulnerability management problem.
 
 To consider decisions about managing the vulnerability rather than just its technical severity, one must be clear about whose decisions are involved.
@@ -30,8 +36,14 @@ Quantified metrics are more useful when (1) data for decision making is availabl
 Vulnerability management does not yet meet either criterion.
 Furthermore, it is not clear to what extent measurements about a vulnerability can be informative about other vulnerabilities.
 Each vulnerability has a potentially unique relationship to the socio-technical system in which it exists, including the Internet.
+
+Vulnerability management decisions are often contextual: given what is known at the time, the decision is to do X.
+But what is known can change over time, which can and should influence the decision.
 The context of the vulnerability, and the systems it impacts, are inextricably linked to managing it.
+Some information about the context will be relatively static over time, such as the contribution of a system to an organization's mission.
+Other information can change rapidly as events occur, such as the public release of an exploit or observation of attacks. 
 Temporal and environmental considerations should be primary, not optional as they are in CVSS.
+We discuss the temporal aspects further in [Information Changes over Time](information-changes-over-time).
 
 We make the deliberation process as clear as is practical; therefore, we risk belaboring some points to ensure our assumptions and reasoning are explicit.
 Transparency should improve trust in the results.