Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-evaluate Risk Assessment concepts #104

Closed
coolharsh55 opened this issue Aug 2, 2023 · 3 comments
Closed

Re-evaluate Risk Assessment concepts #104

coolharsh55 opened this issue Aug 2, 2023 · 3 comments
Milestone
dpv v2.1

Comments

@coolharsh55
Copy link
Collaborator

Current discussions in context of #64 Data Breach, #74 Risk Management, and #100 Incidents have also included a re-evaluation of the Risk Assessment model and its concepts. More specifically, how to depict the ex-ante aspect of risk in terms of sources and causes with terms including Threat, Threat Source, Risk Source, and Vulnerability. This issue is to keep track of this discussion and to identify affected issues/documents, including #103 Guide for Data Breach.
@coolharsh55 coolharsh55 added this to the DPV v1.1 milestone Aug 2, 2023
@coolharsh55
Copy link
Collaborator Author

Current consensus on proposed concepts - see https://lists.w3.org/Archives/Public/public-dpvcg/2023Aug/0006.html

  • Risk: Potential event
    • associated using hasRisk with system or asset
    • e.g. System hasRisk Risk
  • Incident: Realised 'risk' event
    • NOT a subclass of Risk
    • associated with Risk using refersToRisk (new)
    • e.g. Incident refersToRisk Risk
  • Consequence: potential effect of a risk
    • associated using hasConsequence
    • indicates what is affected by hasConsequenceOn
  • Impact: potential effect of a consequence
    • associated using hasImpact
    • indicates what is affected by hasImpactOn
  • RiskMitigationMeasure: measures to 'control' the risk
    • is associated with Risk using mitigatesRisk
    • synonymous with Risk Control
    • is referred to by Risk using isMitigatedByMeasure
    • specific 'control types' to be added later e.g. remove risk source
    • Though the term 'Control' is preferred in standards, we already had
      Risk Mitigation Measure in DPV as the term used in regulations
  • Risk Source: the 'cause' or 'source' of a Risk (new)
    • associated using hasRiskSource
    • exists for compatibility with ISO 31K
    • Threat and Threat Source are specific categories of Risk Sources
  • Threat: Risk source event which causes Risk (new)
    • is associated with Risk using causedByThreat
    • e.g. Risk causedByThreat Threat
    • e.g. Incident causedByThreat Threat
  • Threat Souce: Source of threat event (new)
    • is associated with Threat using hasThreatSource
    • e.g. Threat hasThreatSource ThreatSource
    • includes agent and non-agent sources
  • Vulnerability: Intrinsic property of a system or asset that is
    utilised by the Threat Source in a Threat event to cause Risk (new)
    • is associated with system or asset using isVulnerabilityOf (new)
    • e.g. Vulnerability isVulnerabilityOf System
    • is referred to by a system or asset using hasVulnerability (new)
    • e.g. System hasVulnerability Vulnerability
    • These are helpful to keep track of Vulnerabilities
    • is associated with Threat using isExploitedBy (new)
    • e.g. Vulnerability isExploitedBy Threat
    • is referred to by Threat using exploitsVulnerability (new)
    • e.g. Threat exploitsVulnerability Vulnerability
    • The below relation between Risk/Incident and Vulnerability is
      necessary as without it the risk has to go through Threat to
      understand the vulnerability. Is okay if the graph is only referring
      to a single risk, but for multiple threats and vulnerabilities, Risk
      is modelled as a combination of specific Threat and Vulnerability -
      which this relation permits.
    • is referred to by Risk using causedByVulnerability (new)
    • e.g. Risk causedByVulnerability Vulnerability
    • e.g. Incident causedByVulnerability Vulnerability
  • Likelihood and hasLikelihood to represent and specify the likelihood
    associated with an event
  • Severity and hasSeverity to represent and associate the severity
    associated with an event
  • RiskLevel and hasRiskLevel to specify the 'level' of Risk. Level
    (qualitative) is inclusive of Score (quantitative)
  • The rest of the ISO glossary applies as usual e.g. Risk Owner with
    relation hasRiskOwner, processes for Risk Management, Risk
    Identification, Risk Assesment, etc. These are to be added later.

@ghurlbot
Copy link

Comment by @coolharsh55 via IRC channel #dpvcg on irc.w3.org

The risk assessment concepts will be discussed for acceptance in the next meeting, scheduled for AUG-24

This was referenced Aug 17, 2023
Open
Open
Closed
@ghurlbot
Copy link

Comment by @coolharsh55 via IRC channel #dpvcg on irc.w3.org

risk assessment concepts have been accepted and will be added to risk extension in the next update.

@coolharsh55 coolharsh55 modified the milestones: DPV v1.1, dpv v2.1 Apr 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
dpv v2.1
Development

No branches or pull requests
2 participants
@coolharsh55 @ghurlbot