At present, the maximum effectiveness of control strategies is specified by the property core#blockingEffect. As discussed in #99, this is often set to 'Safe' because there is no way to increase it if needed. The blocking effect should therefore be set at a level reflecting control strategy effectiveness for users who unlikely to be targeted in ways designed to evade the controls.
The idea is that those who are likely to be targeted by such attacks can reduce control strategy effectiveness by lowering control coverage levels. Unfortunately, a system-modeller bug means this doesn't work as it should, so more control strategies will have blocking effect set at a lower level.
Here it is proposed that we remove 'blocking effect' from domain models, and instead assume all control strategies are 'Safe' unless their controls have reduced coverage levels. The control coverage levels can then be set to reflect an 'average' situation, since they can be both increased or decreased to better model the situation faced by each risk analyst.
At present, the maximum effectiveness of control strategies is specified by the property
core#blockingEffect. As discussed in #99, this is often set to 'Safe' because there is no way to increase it if needed. The blocking effect should therefore be set at a level reflecting control strategy effectiveness for users who unlikely to be targeted in ways designed to evade the controls.The idea is that those who are likely to be targeted by such attacks can reduce control strategy effectiveness by lowering control coverage levels. Unfortunately, a system-modeller bug means this doesn't work as it should, so more control strategies will have blocking effect set at a lower level.
Here it is proposed that we remove 'blocking effect' from domain models, and instead assume all control strategies are 'Safe' unless their controls have reduced coverage levels. The control coverage levels can then be set to reflect an 'average' situation, since they can be both increased or decreased to better model the situation faced by each risk analyst.