diff --git a/doc/md_src_files/030_representingInformation.md b/doc/md_src_files/030_representingInformation.md index e727e118..f8522b6e 100644 --- a/doc/md_src_files/030_representingInformation.md +++ b/doc/md_src_files/030_representingInformation.md @@ -3,7 +3,13 @@ # Representing Information for Decisions About Vulnerabilities We propose that decisions about vulnerabilities—rather than their severity—are a more useful approach. -Our design goals for the decision-making process are to clearly define whose decisions are involved; properly use evidentiary categories; be based on reliably available evidence; be transparent; and be explainable. +Our design goals for the decision-making process are to +- clearly define whose decisions are involved +- properly use evidentiary categories +- be based on reliably available evidence +- be transparent +- be explainable + Our inspiration and justification for these design goals are that they are the features of a satisfactory scientific enterprise [@spring2017why] adapted to the vulnerability management problem. To consider decisions about managing the vulnerability rather than just its technical severity, one must be clear about whose decisions are involved. @@ -30,8 +36,14 @@ Quantified metrics are more useful when (1) data for decision making is availabl Vulnerability management does not yet meet either criterion. Furthermore, it is not clear to what extent measurements about a vulnerability can be informative about other vulnerabilities. Each vulnerability has a potentially unique relationship to the socio-technical system in which it exists, including the Internet. + +Vulnerability management decisions are often contextual: given what is known at the time, the decision is to do X. +But what is known can change over time, which can and should influence the decision. The context of the vulnerability, and the systems it impacts, are inextricably linked to managing it. +Some information about the context will be relatively static over time, such as the contribution of a system to an organization's mission. +Other information can change rapidly as events occur, such as the public release of an exploit or observation of attacks. Temporal and environmental considerations should be primary, not optional as they are in CVSS. +We discuss the temporal aspects further in [Information Changes over Time](information-changes-over-time). We make the deliberation process as clear as is practical; therefore, we risk belaboring some points to ensure our assumptions and reasoning are explicit. Transparency should improve trust in the results.