pyfair icon indicating copy to clipboard operation
pyfair copied to clipboard

Published 20 hours ago verified publisher icon Hive-Systems

Risk Tolerance Curve suggestion

Open priamai opened this issue 3 years ago • 3 comments

This is not strictly required by the FAIR methodology but would be a nice addition. Typically a CISO will draw the LOE for the inherent and residual risk, he will then ask his CTO/CEO/CFO to provide a few data points to build a risk tolerance curve. An example from PAN talk is here:

image

The tolerance curve will be interpolated from the few datapoints (the user should choose from linear, expo or polynomial) provided.

The tolerance curve should then be intersected with the other two to find out the break out points. Would be wonderful to have a class to inject such LOE from input data.

Cheers!

priamai avatar Jun 01 '21 22:06 priamai

Found also an interesting tutorial here all in python: https://fluidattacks.com/blog/quantitative-python/

priamai avatar Jun 07 '21 16:06 priamai

From an API perspective, how do you see this working? I.e. how does an analyst define this curve?

t_curve = np.polyfit(
   [100, 1_000, 10_000], 
   [1, .2, .1],
   3
)
fsr = FairSimpleReport([model_1, model_2))
fsr.add_tolerance_curve(t_curve)
fsr.to_html('output.html')

theonaunheim avatar Jun 07 '21 23:06 theonaunheim

Hi @theonaunheim yes that would work!

priamai avatar Jun 11 '21 06:06 priamai