-
Notifications
You must be signed in to change notification settings - Fork 43
Add SSVC doc explaining "human-scale bottleneck" idea #1087
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ahouseholder
wants to merge
8
commits into
main
Choose a base branch
from
fix-1033
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
b27d56e
resolves #1033: Add SSVC doc explaining "human-scale bottleneck" idea
ahouseholder 8b48d44
Apply suggestions from code review
ahouseholder 304a59b
add ssvc human scale bottleneck page to nav
ahouseholder 702b6a6
Merge branch 'fix-1033' of https://github.com/CERTCC/SSVC into fix-1033
ahouseholder b2e7af7
markdownlint --fix
ahouseholder cdc25c2
wording
ahouseholder 8eac547
add diagram and links to other pages
ahouseholder 5907773
refine diagram
ahouseholder File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| # **SSVC: The Human-Scale Bottleneck in Automated Vulnerability Response** | ||
|
|
||
| As vulnerability response processes become increasingly saturated with automation—from AI-driven data collection to sophisticated analysis—the **Stakeholder-Specific Vulnerability Categorization (SSVC)** model is intentionally designed to serve as a crucial, human-scale bottleneck. This approach ensures that while the process is efficient and automated, the core decision-making remains transparent, accountable, and aligned with organizational risk appetite, providing a necessary bridge between technical data and business policy. | ||
|
|
||
| ```mermaid | ||
| --- | ||
| title: SSVC as the Human-Scale Bottleneck in Vulnerability Response | ||
| --- | ||
| flowchart LR | ||
|
|
||
| subgraph dc[Data Mapping] | ||
| collect[Collect Lots of Data] | ||
| end | ||
| subgraph ssvc[SSVC operates at human-scale] | ||
| subgraph ssvcdt[Decision Model] | ||
| dps[SSVC Decision Points] | ||
| model[SSVC Decision Table] | ||
| end | ||
| gov[Governance] | ||
| end | ||
| subgraph use[Use & Respond] | ||
| apply[Decisions] | ||
| do[Actions] | ||
| effects[Results] | ||
| end | ||
| dps -->|input to| model | ||
| model -->|defines| apply | ||
| apply -->|lead to| do | ||
| do -->|produce| effects | ||
| dc -->|informs| dps | ||
| effects -->|informs| gov | ||
| gov -->|refines| ssvcdt | ||
| gov -->|refines| dc | ||
| ``` | ||
|
|
||
| On the input side, [Data Mapping](bootstrap/collect.md) funnels large-scale | ||
| data | ||
| collection into the small set of SSVC decision points. | ||
| On the output side, [Use & Respond](bootstrap/use.md) fans the model's outputs | ||
| out into operational decisions at scale. | ||
| SSVC sits in the middle as the human-scale interface where organizational policy is defined and refined. | ||
|
|
||
| ## **Condensing Complexity into Human-Scale Decisions** | ||
|
|
||
| The initial stages of vulnerability response—[data collection and mapping](bootstrap/collect.md)—often involve vast amounts of information, advanced data sharing formats, and powerful analytical tools, increasingly including AI agents and Large Language Models (LLMs). SSVC's core function is to condense this extensive, complex dataset into a small, manageable set of **decision points**. | ||
|
|
||
| These decision points possess several key characteristics that make them suitable for human oversight and policy definition: | ||
|
|
||
| - **Densely Defined and Ordinal:** Each decision point uses values that are ordered (ordinal variables), moving from least likely to most likely to imply action (e.g., Low, Medium, High). This ordering provides a clear, qualitative progression without the mathematical properties of intervals. | ||
| - **Orthogonal and Independent:** The chosen decision points capture unique dimensions of the problem. By minimizing conceptual overlap, the model ensures that each dimension contributes independently to the final outcome, keeping the overall decision table compact and easier to reason about. The goal is to have completely independent decision points to reduce ambiguity. | ||
| - **Chunky Values:** To prevent the decision space from becoming unmanageable, decision points are limited to a small number of values, typically two to five. This restriction keeps the size of the final decision table small, as the total table size is the product of the value counts for each decision point. | ||
|
|
||
| ## **The Decision Table: Policy as Code** | ||
|
|
||
| By defining a set of orthogonal, ordered decision points, SSVC induces a **partial order** on the entire input space (the Cartesian product of all decision point values). The resulting ordered set of input combinations is then mapped, via a **decision table**, onto a predefined **outcome set** of ordered outcomes. | ||
|
|
||
| The decision table serves as the codified organizational policy. The outcomes are also ordered and typically represent service-level expectations (SLEs), priorities (e.g., Low, Medium, Critical), or prescribed actions (e.g., Defer, Scheduled, Out-of-Cycle, Immediate). This mapping of inputs to output values defines the policy. | ||
|
|
||
| Key criteria for the decision table design include: | ||
|
|
||
| | Criterion | Rationale | | ||
| | :---- |:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | **Small Size** | Avoids complexity; keeps the number of questions required for analysis minimal (ideally 2-7 inputs, not dozens). Collecting and discriminating between dozens of values comes at an unnecessary cost. | | ||
| | **Orthogonal Inputs** | Ensures inputs are independent, reducing ambiguity and overlap. | | ||
| | **Chunky Values** | Limiting values per input (2-5) prevents exponential growth of the table size ($3 \times 3 \times 3 = 27$ rows; $4 \times 3 \times 3 \times 3 = 108$ rows). | | ||
| | **Understandability** | Decision points must be understandable to non-technical risk owners, focusing on business impact rather than technical specifics (e.g., "Criticality of Affected System" instead of "Buffer Overflow vs. SQL Injection"). | | ||
|
|
||
| ## **The Role of the Human in a Machine-Driven World** | ||
|
|
||
| The concept of SSVC as a human-scale bottleneck means that the complexity of the automated threat landscape is filtered through a framework **designed by humans, for humans, and understood by humans**. | ||
|
|
||
| **1\. Accountability and Risk Alignment:** | ||
| The decision table provides an explicit, unambiguous link between technical vulnerability characteristics and organizational risk appetite. This structure facilitates crucial conversations between technical implementers (responsible for patching) and risk owners (CISO, IT management, senior management), transferring responsibility from technical staff making proxy judgments to risk owners defining explicit policy. | ||
|
|
||
| - **Before SSVC:** Technical staff make proxy judgments based on complex scores (e.g., CVSS 7.6 vs. 5.9), which risk owners often don't fully comprehend. | ||
| - **With SSVC:** Decisions are explained using comprehensible terms: "We are responding immediately because this has **High Technical Impact** and affects a **Critical Central Server**. This aligns with our established policy." The risk owner can also explain this policy up to their management. | ||
|
|
||
| **2\. Governance and Policy Refinement:** | ||
| The SSVC model is designed for straightforward modification, enabling policy owners to easily adapt their response posture when needed. Changes are typically managed through predictable steps. This process ensures that when a risk owner desires a change, the modification to the policy (the decision table) can be clearly executed and understood. | ||
|
|
||
| The SSVC governance loop—described in detail in the [Prepare](bootstrap/prepare.md#establish-governance) step of the Getting Started guide—is what makes this refinement practical. Because the decision table is small and explicit, conversations about policy changes stay grounded: | ||
|
|
||
| > *"Why did we respond that way?"* | ||
| > *"Because conditions A, B, and C were all met."* | ||
| > *"I think we should have responded differently in that case."* | ||
| > *"Should we add a new condition D to every decision, or just re-label the outcome for the row where (A, B, C) applies?"* | ||
|
|
||
| This kind of structured conversation is exactly what SSVC is designed to enable. A lightweight governance process periodically reviews each element of the model: | ||
|
|
||
| - Are the **outcomes** still relevant to the organization? | ||
| - Are the **decision points** capturing the right dimensions of the problem? | ||
| - Does the **decision table** still reflect how the organization wants to make decisions? | ||
| - Have there been cases where the table led to a decision that was later regretted? | ||
| - Are there new constraints or requirements not yet captured? | ||
| - Is the **[data mapping](bootstrap/collect.md)** still appropriate—are the right data sources being used to assign values to decision points? | ||
|
|
||
| Depending on the review, adjustments can be made to any layer of the model. The impact of those adjustments is predictable: | ||
|
|
||
| | Modification Type | Impact on Table Size and Complexity | | ||
| | :---- | :---- | | ||
| | **Adjusting Outcome Labels** | Simple fix; maintain existing inputs and values. Requires technical check to ensure partial order causality is maintained (e.g., low-risk inputs cannot have high-priority outcomes). | | ||
| | **Adding/Reducing Values** | Small, measurable change. Adding a value increases the table size additively (e.g., $3 \times 3 \times 3 = 27$ to $4 \times 3 \times 3 = 36$). | | ||
| | **Adding a Decision Point** | Multiplicative increase in table size (e.g., $3 \times 3 \times 3 = 27$ to $3 \times 3 \times 3 \times 3 = 81$). Requires a more involved policy review. | | ||
|
|
||
| Crucially, governance should involve the right stakeholders. Risk owners must be involved in reviewing and adjusting the decision table itself, while vulnerability management and IT security teams are best positioned to review the data mapping and decision point definitions. Operational feedback from [Use & Respond](bootstrap/use.md) provides the empirical basis for identifying where the model needs refinement. | ||
|
|
||
| ## **SSVC is Not a Process Bottleneck** | ||
|
|
||
| Crucially, SSVC being a "human-scale bottleneck" does **not** mean it forces a human to manually review every decision. The decision table, once defined, is entirely automatable. | ||
|
|
||
| Automation can exist throughout the entire response workflow: | ||
|
|
||
| - **Input Automation:** AI or LLMs can perform the "reading comprehension test" of analyzing raw vulnerability data and mechanically selecting the correct values for the SSVC decision points. See [Data Mapping](bootstrap/collect.md) for how to connect data sources to decision point values. | ||
| - **Output Automation:** The prioritized outcome from the SSVC table (e.g., "Immediate") can feed directly into automated patching, ticketing, or software fix development systems. See [Use & Respond](bootstrap/use.md) for how to operationalize SSVC outcomes at scale. | ||
|
|
||
| SSVC acts as a fixed, unambiguous interface. The "human scale" element is in the **design and governance** of this interface, ensuring human accountability and understanding of the decision-making logic. The table's fixed structure means there is no ambiguity from a human's understanding standpoint—you know what the output will be based on the defined inputs and policy. It is the locus where technical reality meets organizational policy. The human is in the loop defining the decision space, not necessarily every single decision. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.