Bug in control coverage in the risk calculator #215
Comments
scp93ch
added a commit
that referenced
this issue
Nov 5, 2024
|
I've fixed this and attached the full model showing the likelihood level of PhysicalIntrusion is Medium when the coverage level of ChipAndPINLock is Medium. I first verified that before the fix, the likelihood level of PhysicalIntrusion was Negligible. |
This was referenced Jan 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The blocking effect of a control strategy is supposed to depend on:
As far as I can tell, the second dependency is not being calculated correctly in the risk calculator. The attached model (a test case created for #214) is very simple and should work with any v6a domain model. It involves a private space accessible from a public space. The public space has low assumed OccupantTW, meaning people able to occupy that space are not trustworthy. This leads to the behaviour PhysicalIntrusion in the private space, caused by a threat of these untrustworthy members of the public being able to enter the private space.
Issue 214 Test 01 asserted.nq.gz
There is a control strategy that should block the relevant threat, that involves implementing a ChipAndPinLock control at the private space. The blocking effect of the control strategy is 'Safe', and the default coverage level for the ChipAndPinLock control is also 'Safe'. Selecting this control therefore prevents PhysicalIntrusion being caused in the private space.
However, if we override the coverage level of the ChipAndPinLock control to (say) 'Medium', there is no change in the likelihood of PhysicalIntrusion into the private space. Having a lower coverage level for a mandatory control should reduce the blocking effect of the control strategy, but this does not seem to work correctly.
The text was updated successfully, but these errors were encountered: