Frontend specifications
Frontend specifications are about how the application computes the available data and presents it to the user to achieve three objectives :
- Provide an overview of a risk analysis
- Offer decision-making support
- Bring out chronologic evolutions
1) Overview
In order to expose the general status of the selected analysis, the overview will provide the user 4 sub-views.
11) Layout
The overview tab will then be composed of 4 areas splitting the available space as follow :
[[images/Frontend_Overview_Layout_Components.PNG]]
![[[images/Frontend_Overview_Layout_Components.PNG]]](images/Frontend_Overview_Layout_Components.PNG){kind=link}
In fact, for this dashboard some components should provide a drilldown view of the data. It means that the user should be able to deepen its browsing by clicking the parts in which he is interested, as the following picture shows :
[[images/Frontend_Overview_Layout_Drilldown.PNG]]
![[[images/Frontend_Overview_Layout_Drilldown.PNG]]](images/Frontend_Overview_Layout_Drilldown.PNG){kind=link}
12) Components
12a. Risks
The first component of the overview tab is composed of 3 layered charts. Browsing freely between them is an essential feature.
| # | First layer : Information & operational risks distribution |
|---|---|
| 1 | Show how the number of risk is distributed among their type : either information risk or operational |
| 2 | Choice between a bar or a pie chart |
| 3 | Display absolute values |
| 4 | Display as total (aggregated) or split on their risk level (weak/medium/strong) |
Two graphs will be generated, one for information risks and one for operational risks.
| # | Second layer : Risk distribution by asset |
|---|---|
| 1 | Show how many risk affect each asset |
| 2 | Presented as a column chart |
| 3 | Display absolute values |
| 4 | Display as total (aggregated) or split on their risk level (weak/medium/strong) |
Two graphs will be generated, one for information risks and one for operational risks.
- Information risks:
The third layer: The risk list associated to the previously selected asset will be displayed.
12b. Threats
The second component of the synthetic view is meant to bring out the broadest threats.
| # | Threat themes distribution |
|---|---|
| 1 | Show the distribution of the threat theme |
| 2 | Choice between a bar or a pie chart |
| 3 | Display relative values (%) or absolute |
12c. Vulnerabilities
The third component is all about the vulnerabilities that can be found in the risk analysis.
| # | Vulnerabilities distribution |
|---|---|
| 1 | Show the distribution of the main vulnerability type |
| 2 | Choice between a bar or a pie chart |
| 3 | Display relative values (%) or absolute |
12d. Cartography
This last component is designed to show to the user a graphic distribution of the risks, through a bubble chart. The risks exposed are either information or operational risks and the user should choose which category we wants to be displayed, anytime.
- Information risks distribution
| Axis | Label | Description |
|---|---|---|
| X | Likelihood | Discrete values given by the different values of Threat x Vulnerability scales |
| Y | Impact | Discrete values given by the Impact scale |
| Radius | Number of risks | According to the number of risk associated to the (Impact, Threat, Vulnerability) triplet |
- Operational risks distribution
| Axis | Label | Description |
|---|---|---|
| X | Likelihood | Discrete values given by the different values of operational risk probability scales |
| Y | Impact | Discrete values given by the Impact scale on the chosen impact criteria option |
| Radius | Number of risks | According to the number of risk associated to the (Impact, Probability) couple |
When choosing to bring out operational risks, the user should be able to set for which criteria it would be done. The following table describe the different options that should be available :
| Option | Description |
|---|---|
| Default | As the default behavior of the application, for each operational risk, the most concerning risk level will be kept and the other dismissed. Each bubble should be colored according to the impact criteria (ROLFP) |
| R | Displays all risks on reputation criteria basis |
| O | Displays the impacts on the operational impact basis |
| L | Brings out risks that have legal impact |
| F | Highlights operational risks that have a financial impact |
| P | Displays operational risk distribution with the personal impact on the Y axis |
Moreover, these options should be available along with the plot:
| Option | Description |
|---|---|
| Asset selection | Enable the user to choose among all the risk analysis assets plus a field selecting them all. More generally a selection just between primary and secondary assets can be done |
| After/before treatment | Allow the user to see the different distributions based on the actual and residual risk value |
The after/before option must be illustrated by using two different colors to distinguish the risks seen from before and after being mitigated
Expected type of rendering for the plot :
![[[images/12d.PNG]]](images/12d.PNG){kind=link}
2) Decision support
21) Layout
[[images/Frontend_Decision_Support_Layout_Components.PNG]]
![[[images/Frontend_Decision_Support_Layout_Components.PNG]]](images/Frontend_Decision_Support_Layout_Components.PNG){kind=link}
The decision support view is composed of 2 areas splitting the available space at screen horizontally. The 2 areas will both display a list of textual elements.
[[images/Frontend_Decision_Support_Set_Lists.PNG]]
![[[images/Frontend_Decision_Support_Set_Lists.PNG]]](images/Frontend_Decision_Support_Set_Lists.PNG){kind=link}
22) Components
22a. Custom action plan
The first component of the decision support tab is a priority queue concerning the recommendations done by the risk assessor.
- Concerning information risks
One should have the ability to choose a strategy in a dropdown list and then be provided with different results. The available strategies are the following:
| Strategy | Description | Score | Order |
|---|---|---|---|
| Cost | Prioritize the cheapest measures | = ( initial cost + maintenance ) / 2 | 🔼 |
| Time | Put the recommendation that are the shortest to set up at the top of the queue | = time qualification | 🔼 |
| Quality | Prioritize the measures which decrease the most the overall vulnerability | = Σ ( Vuln before - Vuln after ) for each risk assigned to the recommendation | 🔽 |
| Criticality | Highlight the most spread measures among the organization's risks | = Number of risks mitigated | 🔽 |
| Importance | Put in order according to the criteria of importance of the risk assessor | = Measure's importance criteria | 🔽 |
| Likelihood | Prioritize the measures that are related to the most likely risks | = Σ ( Threat probability x Vulnerability qualification ) | 🔽 |
![[[images/22a.PNG]]](images/22a.PNG){kind=link}
22b. Risk factors
The second part of the decision support tab is about highlight specific aspects of the risk analysis that might have gone unnoticed by the user otherwise.
Duplicate risks stemming from global assets are showed only once when not specifying an asset in the risk analysis.
One must have to choose from a dropdown list one of the following options :
- Global risks
- Vulnerabilities
- Threats
- Operational assets
Similarly to above, the application will give a score according to the chosen option and then list the results.
Global risk header:
Threat header:
Vulnerability header:
images/22b_vulnerabilities.PNG
Operational assets header:
images/22b_operational_assets.PNG
Here is how the score is calculated for each option:
| Option | Description | Score | Order |
|---|---|---|---|
| Global risks | Show risks that might be more present than the UI let see | = number of asset which contain that risk | 🔽 |
| Threats | Highlight the most spread threats | = number of asset concerned by the threat | 🔽 |
| Vulnerabilities | Bring out the real weaknesses of the organization | = number of asset affected by the same vulnerability | 🔽 |
| Operational assets | Show each asset's operational risk contribution | = relative distribution of ROLFP impacts | 🔽 |
3) Perspective
31) Layout
[[images/Frontend_Perspective_Layout_Components.PNG]]
![[[images/Frontend_Perspective_Layout_Components.PNG]]](images/Frontend_Perspective_Layout_Components.PNG){kind=link}
This last view of the dashboard is meant to compare two snapshots of the risk analysis: the one currently in use and another one that one must be able to load through an upload field.
This perspective view will then be composed of one plot, in which different bar charts will be nested. In fact, the user must be given a checkbox from which he could choose what chart is relevant to him and display it.
![[[images/Perspective.gif]]](images/Perspective.gif){kind=link}
32) Components
32a. Evolutions & tendencies
The main plot area should not label any axis since information presented are in different scales. Indeed, the values should be displayed directly on mouse hover in a tooltip.
In the first place, it should be possible to distinguish operational aspects from information ones and enable the display for each type:
| Value | Description |
|---|---|
| Aggregated Risks | Show the total risk number no matter their risk value |
| Split Risks | Show trong, medium and weak risks total number |
| Risk mean | Put in perspective the overall risk average value for both risk analysis |
Aggregated and split options shall be exclusive
Besides choosing to screen either operational or information risks, it should be always possible to display the following:
| Value | Description |
|---|---|
| Assets | Compare the number of assets present in the risk analysis |
| Applied recommendations | Bring out number of applied recommendations |