One issue with veris is whether the non-existence of a coding means "unknown if it happened" or "didn't happen". The correct way to handle this schema wise is to group things that, if one is recorded and the others are not, into the same property. This can be seen, for example, in action varieties and vectors. In those cases, if a variety is chosen and no others are, it means the other varieties didn't happen, (or at least we have no reason to believe they happened).
This can be contrasted with the 'vector' type within the action. In theory the results could be in with the varieties, however if an action variety such as 'Use of stolen creds' is chosen, it would have no bearing on if 'web app' was relevant. As such 'web app' (and all vectors) are in a separate property.
This can also be seen in asset. 'Cloud' could be a asset within the assets list, however choosing an assets variety (such as 'Server - Other' does not then imply that cloud is or is not relevant. This could also be thought of in the inverse. If 'cloud' is chosen and no other assets varieties are chosen, it wouldn't imply that those assets varieties weren't involved, but simply that they were unknown. Only choosing an assets variety that was involved would then imply the lack of other assets varieties. As such. Assets.variety and cloud are separate properties.
This is not a practical issue that VERIS users will have to deal with as it is more about guiding the design of the schema and choosing when and when not to create a separate property. However, it can help in understanding what not choosing an enumeration means in a property while coding incidents.
One issue with veris is whether the non-existence of a coding means "unknown if it happened" or "didn't happen". The correct way to handle this schema wise is to group things that, if one is recorded and the others are not, into the same property. This can be seen, for example, in action varieties and vectors. In those cases, if a variety is chosen and no others are, it means the other varieties didn't happen, (or at least we have no reason to believe they happened).
This can be contrasted with the 'vector' type within the action. In theory the results could be in with the varieties, however if an action variety such as 'Use of stolen creds' is chosen, it would have no bearing on if 'web app' was relevant. As such 'web app' (and all vectors) are in a separate property.
This can also be seen in asset. 'Cloud' could be a asset within the assets list, however choosing an assets variety (such as 'Server - Other' does not then imply that cloud is or is not relevant. This could also be thought of in the inverse. If 'cloud' is chosen and no other assets varieties are chosen, it wouldn't imply that those assets varieties weren't involved, but simply that they were unknown. Only choosing an assets variety that was involved would then imply the lack of other assets varieties. As such. Assets.variety and cloud are separate properties.
This is not a practical issue that VERIS users will have to deal with as it is more about guiding the design of the schema and choosing when and when not to create a separate property. However, it can help in understanding what not choosing an enumeration means in a property while coding incidents.