SSVC Policy Explorer tool and way forward for adoption support.

[sei-vsarvepalli]

The future iteration of the SSVC calculator(Dryad) earlier should head towards more of a SSVC Policy Explorer the focus of the tool will be ability to quickly show an SSVC Policy with some sample SSVC Policy created as Decision Trees and provide user for a way to interact with the Policy, change Decision Points, Outcomes and explore what may be feasible and useable for an organization.

[todb-cisa]

I find this mock up super useful! My only wish is that there were some explainers around the terms, much like how the FIRST CVSS calculator works. Like so:

So like, on the Policy Explorer, if you mouseover "PoC", you get a few words like "PoC: Proof of Concept exploit code is publicly available, and little to no work would need to be done to fully weaponize this exploit." Something like that would be useful to help level set folks on what "PoC" means, and other jargony terms.

[ahouseholder]

The explainer text exists in the description fields of each decision point. See basically anything in https://github.com/CERTCC/SSVC/tree/main/src/ssvc/decision_points -- point being this should be doable.

[ahouseholder]

It's interesting to me that the table is the same when nothing is selected as when everything is selected. This, to me, highlights the idea that when you don't know anything about the specific case you're assessing, you still know the balance of the policy vs the potential states of the world.

This makes for some interesting opportunities for conveying the idea of the utility of partial information. For example, if there are 4 decision points, and specifying values for two of them gets you down to a 20 possible outcomes, 19 of which are "defer", you actually have some useful information about how much effort you want to put into answering the last two decision point values.

[ahouseholder]

I'm also thinking about something I'll call a "decision modeler" tool that is probably distinct from this "policy explorer". A "decision modeler" might do things like:

• collect some basic information about the decision being modeled
• present a menu of decision points to choose from
• present a menu of outcome sets to choose from
• generate a table that smears the decision point combinations across the outcome sets (possibly with specified weights)
• allow editing of the outcomes in the resulting table
• share/save a policy
• transfer a policy into the policy explorer for experiments/evaluation

[ehatleback]

Here's an idea for a "community-driven" update feature for SSVC: allow community members to modify existing decision points, or create new ones entirely, and have the full set of created or modified possibilities saved and accessible to the community, in some form of "under consideration" list. Implement some sort of vote system whereby the decision point modifications or creations that the community likes will percolate to the top, and likewise the ones that the community doesn't see as useful will fade to the bottom. Then enforce some sort of continually-running "promotion and relegation" system, whereby the best ideas (according to the enforcement system) are promoted to the "official" selection of SSVC decision points, and the languishing ideas (after a certain amount of time, or a certain number of downvotes, or whatever) get removed from the "under consideration" list.

This would be beneficial because 1) it would allow the community to have input into shaping the direction of SSVC; and 2) it would provide real-world data/feedback about what the world needs in SSVC terms.

[ahouseholder]

(glossary: A policy maps a set of decision point values to a set of outcomes)

For customizing SSVC, I think there might be (at least) 3 layers:

• a Policy Explorer that lets you poke at the selected options in a policy and how they change the outcomes. Used for tuning models and policies.
• a Decision Modeler that lets you construct decision models and policies see this comment for more
• a Decision Point Editor that lets you construct new decision points for your needs

These things can interact. You might start with an example policy in Policy Explorer. Then realize that you want to swap out a decision point. So you bring it into the Decision Modeler and do the swap. You can then take the new policy back to Policy Explorer to tweak the outcome mappings. But then maybe you realize you need slightly different semantics so you hop into the Decision Point Editor to create a custom decision point. You do that, save it, and go to Decision Modeler to add it to your decision model, then back to Policy Explorer to fine-tune it.

[j---]

This way forward makes sense to me!