Monarc
/
MonarcAppFO
mirror of https://github.com/monarc-project/MonarcAppFO
1
0
Fork 0
Code Issues Releases Wiki Activity

Add last pictures. Split specs on different pages

master
Yacine Khamis 2017-07-21 16:29:57 +02:00
parent b337e4c0cc
commit d7134fcacd
13 changed files with 268 additions and 261 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_Sidebar.md

@ -1,2 +1,4 @@
* [Home](https://github.com/monarc-project/MonarcAppFO/wiki)
* [Dashboard specifications](https://github.com/monarc-project/MonarcAppFO/wiki/feature-dashboard)
* [Backend](https://github.com/monarc-project/MonarcAppFO/wiki/dashboard_backend_specs)
* [Frontend](https://github.com/monarc-project/MonarcAppFO/wiki/dashboard_frontend_specs)

32
dashboard_backend_specs.md Normal file

@ -0,0 +1,32 @@
### Backend specifications
For now, there are 2 main parts that need to be added to MONARC's core in order to acquire :
* A meaningful way to outline a risk analysis and capture or compare its situation over time
* A means of assessing the cost of the measures and recommendations issued by the risk analysis expert
#### 1) Scheduled job
A simple way to compare a risk analysis from one point in time with another point in time would be through the use of snapshots: they reflect the state of a risk analysis at one exact moment.
So our aim here is to get regular snapshots over time. An option should be added to the user interface.
There is no specific rule concerning the component and layout implementation as long as one should be able to see this new functionality when dealing with the actual snapshot feature.
| # | Specifications |
|---|---|
| 1 | By default, this automatic snapshot feature should be disabled |
| 2 | One should enable or disable this feature anytime |
| 3 | One should set the frequency at which the snapshots will be done |
> About the frequency, it is good to know that according to best practice standards , a risk analysis should be revised at least yearly.
#### 2) Model extend
Even if cost assessment is a complex task, it would be an improvement in MONARC if the user had the possibility to evaluate the cost of the measures and/or recommendations he makes.
Indeed, new fields have to be added to the model, especially to the one concerning recommendations.
Although adding a financial dimension in the application is essential here, the main goal of this is to provide consistent cost scales among all recommendations in order to being able to compare them.
Here is the list of fields that should be added :
| Field name | Description | Units available
|---|---|---|
| Initial cost | Assess the initial investment needed to implement measure suggested by the recommendation | € or k€
| Maintenance cost | Assess the recurrent costs implied by the measure suggested by the recommendation | € or k€
| Time | Evaluate the amount of time and work needed to apply the recommendation | Man-days or Man-Months

231
dashboard_frontend_specs.md Normal file

@ -0,0 +1,231 @@
### Frontend specifications
Frontend specifications are about how the application computes the available data and presents it to the user to achieve three objectives :
* Provide an overview of a risk analysis
* Offer decision-making support
* Bring out chronologic evolutions
---
#### 1) Overview
In order to expose the general status of the selected analysis, the overview will provide the user 4 sub-views.
##### 11) Layout
The overview tab will then be composed of 4 areas splitting the available space as follow :
<a href="images/Frontend_Overview_Layout_Components.PNG">[[images/Frontend_Overview_Layout_Components.PNG]]</a>
> In fact, for this dashboard some components should provide a drilldown view of the data. It means that the user should be able to deepen its browsing by clicking the parts in which he is interested, as the following picture shows :
<a href="images/Frontend_Overview_Layout_Drilldown.PNG">[[images/Frontend_Overview_Layout_Drilldown.PNG]]</a>
##### 12) Components
###### 12a. Risks
The first component of the overview tab is composed of 2 layered charts. Browsing freely between them is an essential feature.
| # |First layer : Information & operational risks distribution |
|---|---|
|1| Show how the number of risk is distributed among their type : either information risk or operational
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
|4| Display as total (aggregated) or split on their risk level (weak/medium/strong)
[[images/12a_1.PNG]]
| # |Second layer : Risk distribution by asset |
|---|---|
|1| Show how many risk affect each asset
|2| Presented as a column chart
|3| Display relative or absolute values (%)
|4| Display as total (aggregated) or split on their risk level (weak/medium/strong)
[[images/12a_2.PNG]]
| # |Second layer : Risk list associated to the previously selected asset |
|---|---|
|1| List all risks associated to one specific asset
|2| Clicking twice on a specific risk leads to its location directly in MONARC
|3| Sort by ascending or descending order on fields : Threat value, vulnerability value and impact upon confidentiality, integrity and availability criteria.
Expected representation of the list :
<a href="images/12a.PNG">[[images/12a.PNG]]</a>
###### 12b. Threats
The second component of the synthetic view is meant to bring out the broadest threats. Being able to go back and forth between the different level of this component is necessary.
| # |First layer : Threat themes distribution |
|---|---|
|1| Show the distribution of the threat theme
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
[[images/12b_1.PNG]]
| # |Second layer : Theme by asset |
|---|---|
|1| Show the distribution of the selected threat theme by asset
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
[[images/12b_2.PNG]]
| # |Third layer : Threat list |
|---|---|
|1| Show a list of threats affecting the previously selected asset
|2| Each line must be colored according to the risk level linked to the threat
|3| Sort by ascending or descending order on fields : max risk value associated and the risk set size
Representation of an element in the previously described list :
<a href="images/12b.PNG">[[images/12b.PNG]]</a>
###### 12c. Vulnerabilities
The third component is all about the vulnerabilities that can be found in the risk analysis. This component is made out of 3 layers and as mentioned before, being able to easily move back and forth between the different layers.
| # |First layer : Vulnerabilities distribution |
|---|---|
|1| Show the distribution of the main vulnerability type
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
[[images/12c_1.PNG]]
| # |Second layer : Vulnerabilities sub type distribution |
|---|---|
|1| Show the distribution of the secondary vulnerability type
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
[[images/12c_2.PNG]]
| # |Third layer : Specific vulnerability list |
|---|---|
|1| Show the list of the vulnerabilities affecting the organism and being part of the previously chosen vulnerability sub type
|2| Sort by ascending or descending order on fields : occurrences and max risk value associated
Representation of an element in the previously described list :
<a href="images/12c.PNG">[[images/12c.PNG]]</a>
###### 12d. Cartography
This last component is designed to show to the user a graphic distribution of the risks, through a scatter plot.
| Axis | Label | Description |
|---|---|---|
| X | Likelihood | Discrete values given by the different values of **T**(hreat) x **V**(ulnerability) scales
| Y | Impact | Discrete values given by the **I**(mpact) scale
| Radius | Number of risks | According to the number of risk associated to the (Impact, Threat, Vulnerability) triplet
These few options must be available along with the plot:
| Option | Description |
|---|---|
| Asset selection | Enable the user to choose among all the risk analysis assets plus a field selecting them all
| After/before treatment | Allow the user to see the different distributions based on the actual and residual risk value
> The after/before option must be illustrated by using two different colors to distinguish the risks seen from before and after being mitigated
Expected type of rendering for the plot :
<a href="images/12d.PNG">[[images/12d.PNG]]</a>
---
#### 2) Decision support
##### 21) Layout
<a href="images/Frontend_Decision_Support_Layout_Components.PNG">[[images/Frontend_Decision_Support_Layout_Components.PNG]]</a>
The decision support view is composed of 2 areas splitting the available space at screen horizontally. The 2 areas will both display a list of textual elements.
<a href="images/Frontend_Decision_Support_Set_Lists.PNG">[[images/Frontend_Decision_Support_Set_Lists.PNG]]</a>
##### 22) Components
###### 22a. Custom action plan
The first component of the decision support tab is a priority queue concerning the recommendations done by the risk assessor.
Indeed, one must have the ability to choose a strategy in a dropdown list and then be provided with different results. The available strategies are the following:
* Cost
* Time
* Quality
* Criticality
* Importance
* Likelihood
Each element of the list represents a measure which will be presented as following:
[[images/22a.PNG]]
More details on the different strategies from the dropdown list below :
| Strategy | Description | Score | Order
|---|---|---|---|
| Cost | Prioritize the cheapest measures | = 0.75 x initial cost + 0.25 x maintenance | :arrow_up_small:
| Time | Put the recommendation that are the shortest to set up at the top of the queue | = time qualification | :arrow_up_small:
| Quality | Prioritize the measures which decrease the most the overall vulnerability | = &Sigma; ( Vuln before - Vuln after ) for each risk assigned to the recommendation | :arrow_down_small:
| Criticality | Highlight the most spread measures among the organization's risks | = Number of risks mitigated | :arrow_down_small:
| Importance | Put in order according to the criteria of importance of the risk assessor | = Measure's importance criteria | :arrow_down_small:
| Likelihood | Prioritize the measures that are related to the most likely risks | = &Sigma; ( Threat probability x Vulnerability qualification ) | :arrow_down_small:
###### 22b. Risk factors
The second part of the decision support tab is about highlight specific aspect of the risk analysis that might have gone unnoticed by the user otherwise.
> Duplicate risks stemming from global assets are showed once, when not specifying an asset in the risk analysis.
One must have to choose from a dropdown list one of the following options :
* Global risks
* Vulnerabilities
* Threats
Similarly to above, the application will give a score according to the chosen option and then list the results, which will most likely be different depending on the selected option.
Global risk elements:
[[images/22b_risks.PNG]]
Threat elements:
[[images/22b_threats.PNG]]
Vulnerability elements:
[[images/22b_vulnerabilities.PNG]]
Here is how the score is calculated for each option:
| Option | Description | Score | Order |
|---|---|---|---|
| Global risks | Show risks that might be more present than the UI let see | = number of asset which contain that risk | :arrow_down_small: |
| Threats | Highlight the most spread threats | = number of asset concerned by the threat | :arrow_down_small: |
| Vulnerabilities | Bring out the real weaknesses of the organization | = number of asset affected by the same vulnerability | :arrow_down_small: |
---
#### 3) Perspective
##### 31) Layout
<a href="images/Frontend_Perspective_Layout_Components.PNG">[[images/Frontend_Perspective_Layout_Components.PNG]]</a>
This last view of the dashboard is meant to compare two snapshot of the risk analysis: the one currently in use and another one that one must be able to load through an upload field.
This perspective view will then be composed of one plot, in which different bar charts will be nested.
In fact, the user must be given a checkbox from which he could choose what chart is relevant to him and display it.
<a href="images/Perspective.gif">[[images/Perspective.gif]]</a>
##### 32) Components
###### 32a. Evolutions & tendencies
The main plot area should not label any axis since information presented are in different scales. Indeed, the values should be displayed directly on mouse hovering in a tooltip.
The values inside the checkbox should be filled with the following options :
| Value | Description |
|---|---|
| Aggregated Risks | Show the total risk number no matter their value |
| Split Risks | Show strong, medium and weak risks total number |
| Assets | Compare the number of assets present in the risk analysis |
| Applied recommendations | Bring out number of applied recommendations |
| Risk mean | Put in perspective the overall risk value for both risk analysis |
> Aggregated and split options shall be exclusive

264
feature-dashboard.md

@ -2,7 +2,7 @@
> Draft version. Pending for approval
## A. Purpose & objectives
## Purpose & objectives
MONARC, enabling various sized organisms to do a risk assessment quickly thanks to its optimized method, will need additional capabilities.
Based on the different risk analysis done thus far fall in the following scheme:
* The first iteration of the analysis cycle is often done by a consultant
@ -10,270 +10,12 @@ Based on the different risk analysis done thus far fall in the following scheme:
So it has been decided that the application shall provide precise and meaningful information targeted to mainly these 2 different types of users with the use of a dashboard.
In order to present information with added value, it is necessary to modify and add a few things in the data model. These modifications are detailed in the part describing [backend specifications](#i-backend-specifications).
In order to present information with added value, it is necessary to modify and add a few things in the data model. These modifications are detailed in the part describing [backend specifications](https://github.com/monarc-project/MonarcAppFO/wiki/dashboard_backend_specs).
Then, the dashboard's goal is to access specific data from the risk analysis to fulfill the following objectives :
* Provide a synthetic view of a risk analysis
* Be a support tool for decision-making that provides specific guidance while respecting organization's strategy
* Highlight chronologically relevant information
The [frontend specifications part](#ii-frontend-specifications) describes how to achieve the aforementioned objectives.
## B. Functional specifications
### I. Backend specifications
For now, there are 2 main parts that need to be added to MONARC's core in order to acquire :
* A meaningful way to outline a risk analysis and capture or compare its situation over time
* A means of assessing the cost of the measures and recommendations issued by the risk analysis expert
#### I.1) Scheduled job
A simple way to compare a risk analysis from one point in time with another point in time would be through the use of snapshots: they reflect the state of a risk analysis at one exact moment.
So our aim here is to get regular snapshots over time. An option should be added to the user interface.
There is no specific rule concerning the component and layout implementation as long as one should be able to see this new functionality when dealing with the actual snapshot feature.
| # | Specifications |
|---|---|
| 1 | By default, this automatic snapshot feature should be disabled |
| 2 | One should enable or disable this feature anytime |
| 3 | One should set the frequency at which the snapshots will be done |
> About the frequency, it is good to know that according to best practice standards , a risk analysis should be revised at least yearly.
#### I.2) Model extend
Even if cost assessment is a complex task, it would be an improvement in MONARC if the user had the possibility to evaluate the cost of the measures and/or recommendations he makes.
Indeed, new fields have to be added to the model, especially to the one concerning recommendations.
Although adding a financial dimension in the application is essential here, the main goal of this is to provide consistent cost scales among all recommendations in order to being able to compare them.
Here is the list of fields that should be added :
| Field name | Description | Units available
|---|---|---|
| Initial cost | Assess the initial investment needed to implement measure suggested by the recommendation | € or k€
| Maintenance cost | Assess the recurrent costs implied by the measure suggested by the recommendation | € or k€
| Time | Evaluate the amount of time and work needed to apply the recommendation | Man-days or Man-Months
### II. Frontend specifications
Frontend specifications are about how the application computes the available data and presents it to the user to achieve three objectives :
* Provide an overview of a risk analysis
* Offer decision-making support
* Bring out chronologic evolutions
---
#### II.1) Overview
In order to expose the general status of the selected analysis, the overview will provide the user 4 sub-views.
##### 11) Layout
The overview tab will then be composed of 4 areas splitting the available space as follow :
[[images/Frontend_Overview_Layout_Components.PNG]]
> In fact, for this dashboard some components should provide a drilldown view of the data. It means that the user should be able to deepen its browsing by clicking the parts in which he is interested, as the following picture shows :
[[images/Frontend_Overview_Layout_Drilldown.PNG]]
##### 12) Components
###### 12a. Risks
The first component of the overview tab is composed of 2 layered charts. Browsing freely between them is an essential feature.
<!---
| # |First layer : Information & operational risks distribution |
|---|---|
|1| Show how the number of risk is distributed among their type : either information risk or operational
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
--->
| # |First layer : Risk distribution by asset |
|---|---|
|1| Show how many risk affect each asset
|2| Presented as a column chart
|3| Display relative or absolute values (%)
|4| Display as total (aggregated) or split on their risk level (weak/medium/strong)
[[images/12a_1.PNG]]
| # |Second layer : Risk list associated to the previously selected asset |
|---|---|
|1| List all risks associated to one specific asset
|2| Clicking twice on a specific risk leads to its location directly in MONARC
|3| Sort by ascending or descending order on fields : Threat value, vulnerability value and impact upon confidentiality, integrity and availability criteria.
Representation of an element in the previously described list :
[[images/12a.PNG]]
###### 12b. Threats
The second component of the synthetic view is meant to bring out the broadest threats. Being able to go back and forth between the different level of this component is necessary.
| # |First layer : Threat themes distribution |
|---|---|
|1| Show the distribution of the threat theme
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
| # |Second layer : Theme by asset |
|---|---|
|1| Show the distribution of the selected threat theme by asset
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
| # |Third layer : Threat list |
|---|---|
|1| Show a list of threats affecting the previously selected asset
|2| Each line must be colored according to the risk level linked to the threat
|3| Sort by ascending or descending order on fields : max risk value associated and the risk set size
Representation of an element in the previously described list :
[[images/12b.PNG]]
###### 12c. Vulnerabilities
The third component is all about the vulnerabilities that can be found in the risk analysis. This component is made out of 3 layers and as mentioned before, being able to easily move back and forth between the different layers.
| # |First layer : Vulnerabilities distribution |
|---|---|
|1| Show the distribution of the main vulnerability type
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
| # |Second layer : Vulnerabilities sub type distribution |
|---|---|
|1| Show the distribution of the secondary vulnerability type
|2| Choice between a bar or a pie chart
|3| Display relatives values (%) or absolutes
| # |Third layer : Specific vulnerability list |
|---|---|
|1| Show the list of the vulnerabilities affecting the organism and being part of the previously chosen vulnerability sub type
|2| Sort by ascending or descending order on fields : occurrences and max risk value associated
Representation of an element in the previously described list :
[[images/12c.PNG]]
###### 12d. Cartography
This last component is designed to show to the user a graphic distribution of the risks, through a scatter plot.
| Axis | Label | Description |
|---|---|---|
| x | Likelihood | Discrete values given by the different values of **T**(hreat) x **V**(ulnerability) scales
| y | Impact | Discrete values given by the **I**(mpact) scale
| radius | Number of risks | According to the number of risk associated to the (I, T, V) triplet
These few options must be available along with the plot:
| Option | Description |
|---|---|
| Asset selection | Enable the user to choose among all the risk analysis assets plus a field selecting them all
| After/before treatment | Allow the user to see the different distributions based on the actual and residual risk value
> The after/before option must be illustrated by using two different colors to distinguish the risks seen from before and after being mitigated
Expected type of rendering for the plot :
[[images/12d.PNG]]
---
#### II.2) Decision support
##### 21) Layout
[[images/Frontend_Decision_Support_Layout_Components.PNG]]
The decision support view is composed of 2 areas splitting the available space at screen horizontally. It should be possible for the user to choose .
The 2 areas will both display a list of textual elements.
[[images/Frontend_Decision_Support_Set_Lists.PNG]]
##### 22) Components
###### 22a. Custom action plan
The first component of the decision support tab is a priority queue concerning the recommendations done by the risk assessor.
Indeed, one must have the ability to choose a strategy in a dropdown list and then be provided with different results. The available strategies are the following:
* Cost
* Time
* Quality
* Criticality
* Importance
* Likelihood
Each element of the list represents a measure which will be presented as following:
[[images/22a.PNG]]
More details on the different strategies from the dropdown list below :
| Strategy | Description | Score | Order
|---|---|---|---|
| Cost | Prioritize the cheapest measures | = 0.75 x initial cost + 0.25 x maintenance | :arrow_up_small:
| Time | Put the recommendation that are the shortest to set up at the top of the queue | = time qualification | :arrow_up_small:
| Quality | Prioritize the measures which decrease the most the overall vulnerability | = &Sigma; ( Vuln before - Vuln after ) for each risk assigned to the recommendation | :arrow_down_small:
| Criticality | Highlight the most spread measures among the organization's risks | = Number of risks mitigated | :arrow_down_small:
| Importance | Put in order according to the criteria of importance of the risk assessor | = Measure's importance criteria | :arrow_down_small:
| Likelihood | Prioritize the measures that are related to the most likely risks | = &Sigma; ( Threat probability x Vulnerability qualification ) | :arrow_down_small:
###### 22b. Risk factors
The second part of the decision support tab is about highlight specific aspect of the risk analysis that might have gone unnoticed by the user otherwise.
> When no particular asset is selected in the application, it will only display the most significant risks among those shared by global assets
One must have to choose from a dropdown list one of the following options :
* Global risks
* Vulnerabilities
* Threats
Similarly to above, the application will give a score according to the chosen option and then list the results, which will most likely be different depending on the selected option.
Global risk elements:
[[images/22b_risks.PNG]]
Threat elements:
[[images/22b_threats.PNG]]
Vulnerability elements:
[[images/22b_vulnerabilities.PNG]]
Here is how the score is calculated for each option:
| Option | Description | Score | Order |
|---|---|---|---|
| Global risks | Show risks that might be more present than the UI let see | = number of asset which contain that risk | :arrow_down_small: |
| Threats | Highlight the most spread threats | = number of asset concerned by the threat | :arrow_down_small: |
| Vulnerabilities | Bring out the real weaknesses of the organization | = number of asset affected by the same vulnerability | :arrow_down_small: |
---
#### II.3) Perspective
##### 31) Layout
[[images/Frontend_Perspective_Layout_Components.PNG]]
This last view of the dashboard is meant to compare two snapshot of the risk analysis: the one currently in use and another one that one must be able to load through an upload field.
This perspective view will then be composed of one plot, in which different bar charts will be nested.
In fact, the user must be given a checkbox from which he could choose what chart is relevant to him and display it.
[[images/Perspective.gif]]
##### 32) Components
###### 32a. Evolutions & tendencies
The main plot area should not label any axis since information presented are in different scales. Indeed, the values should be displayed directly on mouse hovering in a tooltip.
The values inside the checkbox should be filled with the following options :
| Value | Description |
|---|---|
| Aggregated Risks | Show the total risk number no matter their value |
| Split Risks | Show strong, medium and weak risks total number |
| Assets | Compare the number of assets present in the risk analysis |
| Applied recommendations | Bring out number of applied recommendations |
| Risk mean | Put in perspective the overall risk value for both risk analysis |
> Aggregated and split options shall be exclusive
The [frontend specifications part](https://github.com/monarc-project/MonarcAppFO/wiki/dashboard_frontend_specs) describes how to achieve the aforementioned objectives.
---

BIN
images/12a_1.PNG

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.2 KiB

After

Width:  |  Height:  |  Size: 3.9 KiB

BIN
images/12a_2.PNG Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

BIN
images/12b_1.PNG Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.9 KiB

BIN
images/12b_2.PNG Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

BIN
images/12c_1.PNG Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.7 KiB

BIN
images/12c_2.PNG Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.4 KiB

BIN
images/12c_3.PNG Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.5 KiB

BIN
images/Frontend_Decision_Support_Set_Lists.PNG Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

BIN
images/Perspective.gif Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 174 KiB