Defining a risk owner tree customization workflow

[j---]

Document an expected workflow for how a risk owner (say, security manager or CISO) could use the section "Tree customization guidance" to actually create a JSON schema representing their desired tree (and so their desired risk posture)
This will include at least the following:

• UX / persona level documentation and setting requirements
• modifying or creating tools to support the workflow and creation of the schema

Insofar as we had a process for this during the SSVC v2 creation of the recommended trees, it was using the scripts in src/enumerate*.sh to make CSVs with a blank last row and then filling in the desired priority per row based on discussion. But since part of tree customization guidance is picking different decision points, that would amount to editing those scripts so the CSV would contain different combinations of values. That is not going to be a sustainable thing to ask folks to do, if nothing else because it is open to transcription errors (in reading from the documentation and description of decision points to representing them in the script).

[ahouseholder]

Specifically, the current content appears in lines 88-176 of /doc/md_src_files/060_decision-trees.md

However, this topic seems to imply a change in tooling as well as updating the text. I'm going to spawn this into a discussion for us to sort that out and then we can generate new issues to break up the task from there once we have a better idea of what's going on.

[ahouseholder]

• We should probably merge Add detail about customization, tree sharing, and decision point scope #242 before modifying content because it's going in a similar direction.

[j---]

Thanks Allen. I agree this has several parts.
I suppose the question is what text or guidance in "tree customization guidance" can be supported by a tool or workflow that would walk a CISO through it? So far, we've had to do a lot of that in person. Maybe the first step is trying to just understand the signposts that we walk through when we have this conversation with a risk owner?

[ahouseholder]

It's been a while since I've thought about this, and even longer since I've been directly involved in customizing a tree, but from my recollection the process was approximately this:

flowchart TD

subgraph Customize Tree
start([Start])
A[/What decisions are you making?/]
A1[for decision in decisions]
Z([End])
end

subgraph Outcomes
B[/What are the possible outcomes of the decision?/]
B1[for outcome in outcomes]
B2{{Is outcome already defined?}}
B3[Add outcome to list]
end

subgraph DecisionPoints
C[/What factors are relevant to the decision?/]
C1[for factor in factors]
C2{{Does an existing decision point capture this factor?}}
C3{{Is a new decision point needed?}}
C4[Create new decision point]
C5{{Really?}}
end

subgraph MakeTree
D[Generate tree]
D1{{Too many outcomes?}}
D2{{Too many factors?}}
D3{{Tree quality met?}}
D4[Save tree]
end


start --> A


A --> A1
A1 -->|not done| B
A1 -->|done|Z

B --> B1
B1 -->|not done| B2
B2 -->|yes| B1
B2 -->|no| B3
B3 --> B1

B1 -->|done| C
C --> C1
C1 -->|not done| C2
C2 -->|yes| C1
C2 -->|no| C3
C3 -->|yes| C5
C5 -->|yes| C4
C5 -->|no| C1
C3 -->|no| C1
C4 --> C1

D --> D1
D1 -->|yes| B
D1 -->|no| D2
D2 -->|yes| C
D2 -->|no| D3
D3 -->|yes| D4
D3 -->|no| D
D4 --> A1

C1 -->|done| D

Loading

The Really? question in the new decision point path is there to interrupt the tendency toward "everything is a little bit relevant" that we've encountered repeatedly. But it's technically redundant to the Too many factors? decision under Generate tree.

[ahouseholder]

I think this was resolved by PR #308 which created a bootstrapping process.