search

Spyderisk / system-modeller

Spyderisk web service and web client
Other
4 stars 4 forks source link

No cause threats #120

Open mike1813 opened 11 months ago

mike1813 commented 11 months ago

In the past, it was necessary for every primary or secondary threat to have at least one role-level cause, i.e., a cause defined in terms of an asset behaviour (for secondary threats) or TWA (for primary threats).

This was problematic, because many normal-op threats and some side effect (triggered) threats don't depend on any behaviour or TWA. For example, many normal-op threats just happen unless prevented by functionality disablement controls. As a result, a workaround had to be included in domain models, adding a cause expressed using an 'artificial' TWA (usually 'Default TW') to such threats.

Of course, this 'artificial' cause makes no sense to system-modeller users.

More recently, mixed cause threats were introduced, whereby a threat could have a a mixture of these causes. A side effect of that work is to remove the need for any role-level causes to be present, leaving the threat likelihood to be determined from intrinsic threat frequency and the effect of control strategies.

However, causeless threats may still break the subsequent post-processing to find threat paths and deduce risk levels per threat including downstream effects to which the threat is a contributory cause. This should be checked by @mike1813.

In addition, @scp93ch should check if causeless threats would cause problems with the threat path analyser used in the system-modeller adaptor code.

scp93ch commented 11 months ago

Can I suggest that you come up with a domain model and system model that have a causeless threat and as a first step we see if it breaks anything? Obviously we would then still need to check carefully whether it caused something to go wrong which was not immediately obvious but I think a test case would be useful before looking at this.

mike1813 commented 11 months ago

@scp93ch : I created a domain model and a test. This showed that (contrary to my expectations), the threat likelihood calculation cannot handle the no-cause threats. I expected problems with calculations related to threat paths, but not threat likelihood.

Because of this, I have not committed the domain model changes to the corresponding branch of the domain-network project.

See here for more information, including links to the domain model, and further up the page, test cases.