4 dashboard_frontend_specs
Jerome Lombardi edited this page 2018-02-23 08:41:23 +01:00

Frontend specifications

Frontend specifications are about how the application computes the available data and presents it to the user to achieve three objectives :

  • Provide an overview of a risk analysis
  • Offer decision-making support
  • Bring out chronologic evolutions

1) Overview

In order to expose the general status of the selected analysis, the overview will provide the user 4 sub-views.

11) Layout

The overview tab will then be composed of 4 areas splitting the available space as follow :

[[images/Frontend_Overview_Layout_Components.PNG]]

In fact, for this dashboard some components should provide a drilldown view of the data. It means that the user should be able to deepen its browsing by clicking the parts in which he is interested, as the following picture shows :

[[images/Frontend_Overview_Layout_Drilldown.PNG]]

12) Components

12a. Risks

The first component of the overview tab is composed of 3 layered charts. Browsing freely between them is an essential feature.

# First layer : Information & operational risks distribution
1 Show how the number of risk is distributed among their type : either information risk or operational
2 Choice between a bar or a pie chart
3 Display absolute values
4 Display as total (aggregated) or split on their risk level (weak/medium/strong)

Two graphs will be generated, one for information risks and one for operational risks.

images/12a_1.PNG

# Second layer : Risk distribution by asset
1 Show how many risk affect each asset
2 Presented as a column chart
3 Display absolute values
4 Display as total (aggregated) or split on their risk level (weak/medium/strong)

Two graphs will be generated, one for information risks and one for operational risks.

images/12a_2.PNG

  • Information risks:

The third layer: The risk list associated to the previously selected asset will be displayed.

12b. Threats

The second component of the synthetic view is meant to bring out the broadest threats.

# Threat themes distribution
1 Show the distribution of the threat theme
2 Choice between a bar or a pie chart
3 Display relative values (%) or absolute

12c. Vulnerabilities

The third component is all about the vulnerabilities that can be found in the risk analysis.

# Vulnerabilities distribution
1 Show the distribution of the main vulnerability type
2 Choice between a bar or a pie chart
3 Display relative values (%) or absolute

12d. Cartography

This last component is designed to show to the user a graphic distribution of the risks, through a bubble chart. The risks exposed are either information or operational risks and the user should choose which category we wants to be displayed, anytime.


  • Information risks distribution
Axis Label Description
X Likelihood Discrete values given by the different values of Threat x Vulnerability scales
Y Impact Discrete values given by the Impact scale
Radius Number of risks According to the number of risk associated to the (Impact, Threat, Vulnerability) triplet

  • Operational risks distribution
Axis Label Description
X Likelihood Discrete values given by the different values of operational risk probability scales
Y Impact Discrete values given by the Impact scale on the chosen impact criteria option
Radius Number of risks According to the number of risk associated to the (Impact, Probability) couple

When choosing to bring out operational risks, the user should be able to set for which criteria it would be done. The following table describe the different options that should be available :

Option Description
Default As the default behavior of the application, for each operational risk, the most concerning risk level will be kept and the other dismissed. Each bubble should be colored according to the impact criteria (ROLFP)
R Displays all risks on reputation criteria basis
O Displays the impacts on the operational impact basis
L Brings out risks that have legal impact
F Highlights operational risks that have a financial impact
P Displays operational risk distribution with the personal impact on the Y axis

Moreover, these options should be available along with the plot:

Option Description
Asset selection Enable the user to choose among all the risk analysis assets plus a field selecting them all. More generally a selection just between primary and secondary assets can be done
After/before treatment Allow the user to see the different distributions based on the actual and residual risk value

The after/before option must be illustrated by using two different colors to distinguish the risks seen from before and after being mitigated

Expected type of rendering for the plot :

[[images/12d.PNG]]


2) Decision support

21) Layout

[[images/Frontend_Decision_Support_Layout_Components.PNG]]

The decision support view is composed of 2 areas splitting the available space at screen horizontally. The 2 areas will both display a list of textual elements.

[[images/Frontend_Decision_Support_Set_Lists.PNG]]

22) Components

22a. Custom action plan

The first component of the decision support tab is a priority queue concerning the recommendations done by the risk assessor.

  • Concerning information risks

One should have the ability to choose a strategy in a dropdown list and then be provided with different results. The available strategies are the following:

Strategy Description Score Order
Cost Prioritize the cheapest measures = ( initial cost + maintenance ) / 2 🔼
Time Put the recommendation that are the shortest to set up at the top of the queue = time qualification 🔼
Quality Prioritize the measures which decrease the most the overall vulnerability = Σ ( Vuln before - Vuln after ) for each risk assigned to the recommendation 🔽
Criticality Highlight the most spread measures among the organization's risks = Number of risks mitigated 🔽
Importance Put in order according to the criteria of importance of the risk assessor = Measure's importance criteria 🔽
Likelihood Prioritize the measures that are related to the most likely risks = Σ ( Threat probability x Vulnerability qualification ) 🔽

[[images/22a.PNG]]

22b. Risk factors

The second part of the decision support tab is about highlight specific aspects of the risk analysis that might have gone unnoticed by the user otherwise.

Duplicate risks stemming from global assets are showed only once when not specifying an asset in the risk analysis.

One must have to choose from a dropdown list one of the following options :

  • Global risks
  • Vulnerabilities
  • Threats
  • Operational assets

Similarly to above, the application will give a score according to the chosen option and then list the results.

Global risk header:

images/22b_risks.PNG

Threat header:

images/22b_threats.PNG

Vulnerability header:

images/22b_vulnerabilities.PNG

Operational assets header:

images/22b_operational_assets.PNG

Here is how the score is calculated for each option:

Option Description Score Order
Global risks Show risks that might be more present than the UI let see = number of asset which contain that risk 🔽
Threats Highlight the most spread threats = number of asset concerned by the threat 🔽
Vulnerabilities Bring out the real weaknesses of the organization = number of asset affected by the same vulnerability 🔽
Operational assets Show each asset's operational risk contribution = relative distribution of ROLFP impacts 🔽

3) Perspective

31) Layout

[[images/Frontend_Perspective_Layout_Components.PNG]]

This last view of the dashboard is meant to compare two snapshots of the risk analysis: the one currently in use and another one that one must be able to load through an upload field.

This perspective view will then be composed of one plot, in which different bar charts will be nested. In fact, the user must be given a checkbox from which he could choose what chart is relevant to him and display it.

[[images/Perspective.gif]]

32) Components

32a. Evolutions & tendencies

The main plot area should not label any axis since information presented are in different scales. Indeed, the values should be displayed directly on mouse hover in a tooltip.

In the first place, it should be possible to distinguish operational aspects from information ones and enable the display for each type:

Value Description
Aggregated Risks Show the total risk number no matter their risk value
Split Risks Show trong, medium and weak risks total number
Risk mean Put in perspective the overall risk average value for both risk analysis

Aggregated and split options shall be exclusive

Besides choosing to screen either operational or information risks, it should be always possible to display the following:

Value Description
Assets Compare the number of assets present in the risk analysis
Applied recommendations Bring out number of applied recommendations