Feature - Custom Risk Calculations

Forum - Software
1

Hi,

Will you consider factoring in the assets liabilities for the Magerit calculation pls?

Thanks,
David

2

at the moment there is no plan to change risk module, we might include later in the year custom calculations but not for the time being.

int ref: https://github.com/eramba/eramba/issues/4704

3

We need to allow “Classifications” as an optional (by default disabled) setting for inputs to all risk types, that is:

  • Assets (already there)
  • Liabilities
  • Third Parties (missing)
  • Business Units (missing)
  • Processes (missing)

image
image2292×1186 178 KB

The risk module has also some type of classification defined by the user (in this case is mandatory).

On each risk module, the user will have a “Custom Calculation” setting under Settings / Calculation Method:

image
image2642×1064 235 KB

The idea is that the user can provide a custom arithmetic calculation formula that includes, as variables, all available classifications for that module (the third party module does not relate to the business module and therefore those classifications should not be shown).

  • Example: multiply impact and likelihood

  • Formula: asset-risk.impact*asset-risk.likelihood

  • Example: highest availability classification value of assets linked to the risk (this could be always one or more value) multiplied the multiplication of impact and likelihood.

  • Formula : highest(asset.availability)(asset-risk.impactasset-risk.likelihood)

  • Example: for each of the highest CIA values of all asset input, multiply them for whatever impact the users wishes to select. that value then multiply it for one likelihood.

  • Formula: imposible to do it with a formula alone, you need changes on the form.

I explored the idea of a UI to do this, but is very complicated because:

  • there could be arithmetic operators but also functions such as uniq, sum, highest, avg, etc) so i think this will be custom coded for each customer.
  • the UI on the risk form might require dynamic forms, for example for each “asset classification” set a risk classification “impact”. dynamically adjusting the edit risk form is insanely complicated with UI.

What is doable is:

  • Keep offering more hard-coded risk classification options