Risk treatment plan should use (or at least allow) more filtering #182
Comments
|
One point: in #2 (comment), it was noted that if we simply suppress lines for behaviours that are not causing threats, we can end up with assets being left out of the risk treatment report. My proposal is not to leave out any assets. It is to leave out rows in the table of behaviours that have no significance. If we find an asset where all of the rows were filtered out under these criteria, we should keep the asset in the list (name, type, description), and display a statement to say it has no behaviours with a significant role in creating or treating risks. |
|
Reviewed by @mike1813 : this probably should be addressed because we know ongoing research projects do need enhanced reports. The code affected is fairly new, and was originally intended to meet some of those needs. However, this issue relates to a usability enhancement, which may or may not be important to users in those research activities. If it is not likely to cause a problem, then it could be put on hold instead. |
In the version tagged as v3.6.0-test, the web U/I supports extraction of a risk treatment plan. This provides a list of system model asset classes, each displayed with its type, a brief description, and its population level, followed by a table listing its potential (mis)behaviours. This table cites threats that cause each misbehaviour, and control strategies that block those threats.
In many cases, an asset misbehaviour will not be caused directly by any threat(s), or if it is, those threat(s) have no viable control strategy. In such cases, we will get a lot of rows in the misbehaviour tables that add complexity without adding value (in terms of showing how the risks are being treated, at least).
This becomes evident if using a domain model in which vulnerability discovery threat paths have been refactored, as described for the network domain model in issue Spyderisk/domain-network#139. The refactoring ensures that all the threat paths leading to the loss of TW attributes reflecting freedom from software vulnerabilities have a common initial cause threat, allowing control strategies to reduce the likelihood of vulnerabilities or limit their duration to be applied to a single threat.
Using a test case modelling an online store, and this refactored domain model, the first asset is a client browser whose misbehaviours list includes the following lines:
The 'LossOfExtrinsic-*-TW' behaviours relate to possible CVSS metric values that may be used to describe a software vulnerability, so that each type of software vulnerability can be modelled by reducing a different combination of the associated TW levels. Previously, software vulnerability discovery threats leading to each of these behaviours was addressed by the 'SoftwarePatching' control strategy. Now, after threat path refactoring in the domain model, this control strategy now applies only to a single 'VulnerabilityDiscovey' pre-cursor threat. The CVSS-aligned behaviours now have no control strategy, so they are not related directly to any risk treatment, so we should have a mechanism ot filter them out of the risk treatment plan tables.
The text was updated successfully, but these errors were encountered: