coolharsh55
commented
1 year ago Current consensus on proposed concepts - see https://lists.w3.org/Archives/Public/public-dpvcg/2023Aug/0006.html
- Risk: Potential event
- associated using hasRisk with system or asset
- e.g. System hasRisk Risk
- Incident: Realised 'risk' event
- NOT a subclass of Risk
- associated with Risk using refersToRisk (new)
- e.g. Incident refersToRisk Risk
- Consequence: potential effect of a risk
- associated using hasConsequence
- indicates what is affected by hasConsequenceOn
- Impact: potential effect of a consequence
- associated using hasImpact
- indicates what is affected by hasImpactOn
- RiskMitigationMeasure: measures to 'control' the risk
- is associated with Risk using mitigatesRisk
- synonymous with Risk Control
- is referred to by Risk using isMitigatedByMeasure
- specific 'control types' to be added later e.g. remove risk source
- Though the term 'Control' is preferred in standards, we already had Risk Mitigation Measure in DPV as the term used in regulations
- Risk Source: the 'cause' or 'source' of a Risk (new)
- associated using hasRiskSource
- exists for compatibility with ISO 31K
- Threat and Threat Source are specific categories of Risk Sources
- Threat: Risk source event which causes Risk (new)
- is associated with Risk using causedByThreat
- e.g. Risk causedByThreat Threat
- e.g. Incident causedByThreat Threat
- Threat Souce: Source of threat event (new)
- is associated with Threat using hasThreatSource
- e.g. Threat hasThreatSource ThreatSource
- includes agent and non-agent sources
- Vulnerability: Intrinsic property of a system or asset that is
utilised by the Threat Source in a Threat event to cause Risk (new)
- is associated with system or asset using isVulnerabilityOf (new)
- e.g. Vulnerability isVulnerabilityOf System
- is referred to by a system or asset using hasVulnerability (new)
- e.g. System hasVulnerability Vulnerability
- These are helpful to keep track of Vulnerabilities
- is associated with Threat using isExploitedBy (new)
- e.g. Vulnerability isExploitedBy Threat
- is referred to by Threat using exploitsVulnerability (new)
- e.g. Threat exploitsVulnerability Vulnerability
- The below relation between Risk/Incident and Vulnerability is necessary as without it the risk has to go through Threat to understand the vulnerability. Is okay if the graph is only referring to a single risk, but for multiple threats and vulnerabilities, Risk is modelled as a combination of specific Threat and Vulnerability - which this relation permits.
- is referred to by Risk using causedByVulnerability (new)
- e.g. Risk causedByVulnerability Vulnerability
- e.g. Incident causedByVulnerability Vulnerability
- Likelihood and hasLikelihood to represent and specify the likelihood associated with an event
- Severity and hasSeverity to represent and associate the severity associated with an event
- RiskLevel and hasRiskLevel to specify the 'level' of Risk. Level (qualitative) is inclusive of Score (quantitative)
- The rest of the ISO glossary applies as usual e.g. Risk Owner with relation hasRiskOwner, processes for Risk Management, Risk Identification, Risk Assesment, etc. These are to be added later.
ghurlbot
Current discussions in context of #64 Data Breach, #74 Risk Management, and #100 Incidents have also included a re-evaluation of the Risk Assessment model and its concepts. More specifically, how to depict the ex-ante aspect of risk in terms of sources and causes with terms including Threat, Threat Source, Risk Source, and Vulnerability. This issue is to keep track of this discussion and to identify affected issues/documents, including #103 Guide for Data Breach.