jimmythompson
commented
9 years ago I have a few questions regarding how this should work, and some suggestions for each of them.
How does the user input risk into the text editor? I have no idea what a good suggestion for this would be. Are we looking at a single number (risky between 1 and 10) or do we want to keep likelihood and impact separate?
How does risk appear on the tree? I'm liking the idea of a relative heat map on each of the nodes, so the more red a node is, the more risk it has. However, this would mean we prescribe a single idea of what risk is, whether it's adding impact and likelihood, or the product. If we don't want to do that I don't see how we can represent them other than just drawing them on each node.
How does risk of a child node affect its parent? This is an interesting discussion on its own, especially as we deal with AND vs. OR junctions. If a parent threat is the sum of all of its children, is the parent as risky as the riskiest child? Or is the risk of the parent the sum of all potential risks of the child?
The idea of risk is something the tree should be able to represent. Whether we define risk as likelihood and impact, like in Jim's quote, or something else. I've described it as risk since that seems to be a decent abstract term for it, value would be also acceptable.