SSVC
SSVC copied to clipboard
CERTCC
Eisenhower matrix tutorial
As a simple tutorial on how to walk through the bootstrapping process, we could write a tutorial that models the Eisenhower matrix:
Importance: yes, no Urgency: yes, no
Outcome set(s):
- do, schedule, delegate, delete
- do first, schedule, delegate, do not do
https://en.wikipedia.org/wiki/Time_management#The_Eisenhower_Method
The idea here is to provide a conceptual bridge for folks who might already be familiar with the Eisenhower Matrix but want to explore implementing prioritization decisions in SSVC.
I'm not fond of the "do not do".
do first schedule delegate do not do required recommended delegate document and ignore necessary suggested delegate reject
Laurie
So just doing a Google image search for eisenhower matrix, I find:
| Important+Urgent | Important+Not Urgent | Not Important+Urgent | Not Important+Not Urgent |
|---|---|---|---|
| Do | Schedule | Delegate | Delete |
| Do Now | Schedule | Delegate | Delete |
| Do | Decide | Delegate | Delete |
| Do First and Reduce | Schedule | Delegate | Delete or Leave |
| Do | Schedule | Delegate | Limit |
| Do First | Delay | Delegate | Don't Do |
| Do | Schedule | Delegate | Eliminate |
| Reduce | Schedule | Delegate | Declutter |
| Do | Schedule | Automate | Delete |
| Do | Plan | Delegate | Drop |
I'm going for very low translation overhead, which means using the words people already use in the way they use them. My preference would be to not inject new words like "required", "necessary", "suggested", "reject" etc. because they're not part of the established vocabulary in how folks label the Eisenhower Matrix. (And by that argument "do not do" is also somewhat out of the running because it's not as prevalent as Delete .)
So I guess it's "pick one from each column". Do, Schedule, and Delegate seem straightforward enough. The question is what to call the not-important-not-urgent one. Delete seems to be pretty common, but there is more variation in what people call this one.
Aside: It's not lost on me that RFC-2119's MUST, SHOULD, MAY, and MUST NOT are functionally equivalent. However those tend to show up in normative documents rather than in the kinds of operational decisions we're trying to model, so I don't know that we'd need them for anything. (Creating them as an outcome set is easy though if we chose to do so.)
How much do we want the "Not Important+Not Urgent" category to translate to our Defer outcome? Whatever the term, the Eisenhower matrix terms are more aggressive about removing that category from the decision-makers attention than we are in SSVC. "Leave" and "do not do" are not very common in your search, but are semantically closest to Defer I think. If we don't care about semantic closeness for the example, then I guess delete is fine. But I don't think we would want that to be an action for vulnerability management, so it may also cause us problems with the tutorial when we transition to SSVC concepts. Properly I suppose the only way to find out is to ask readers and consumers of the guidance.
I'm not sure we need to map it onto our existing vocabulary at all. I was just thinking that "say you already have a system that is based on the 2x2 -> 4 Eisenhower matrix. Here's how you might model that using SSVC." It wouldn't be about semantic agreement with existing SSVC things, it would be about using SSVC components to model something most folks already understand. It points folks towards adapting SSVC "bricks" to their own decision construction needs.
As a possible extension, we could do one that is a little more IT centric, a la an ITIL priority matrix like the one at https://blog.invgate.com/itil-priority-matrix
Although I note that at that page they show a 3x3 Impact/Urgency matrix that maps onto four priorities then a few lines later they talk about 5 SLA priorities. So they have the right concept, just inconsistent mapping. We can probably find better examples.
See also the outcome set abstraction discussion at
- #359