diff --git a/data/csvs/deployer-options_v2.csv b/data/csvs/deployer-options_v2.csv
deleted file mode 100644
index 189c21ce..00000000
--- a/data/csvs/deployer-options_v2.csv
+++ /dev/null
@@ -1,109 +0,0 @@
-row,Exploitation,Exposure,Utility,Human Impact,Priority
-1,none,small,laborious,low,defer
-2,none,small,laborious,medium,defer
-3,none,small,laborious,high,scheduled
-4,none,small,laborious,very high,scheduled
-5,none,small,efficient,low,defer
-6,none,small,efficient,medium,scheduled
-7,none,small,efficient,high,scheduled
-8,none,small,efficient,very high,scheduled
-9,none,small,super effective,low,defer
-10,none,small,super effective,medium,scheduled
-11,none,small,super effective,high,scheduled
-12,none,small,super effective,very high,scheduled
-13,none,controlled,laborious,low,defer
-14,none,controlled,laborious,medium,scheduled
-15,none,controlled,laborious,high,scheduled
-16,none,controlled,laborious,very high,scheduled
-17,none,controlled,efficient,low,defer
-18,none,controlled,efficient,medium,scheduled
-19,none,controlled,efficient,high,scheduled
-20,none,controlled,efficient,very high,scheduled
-21,none,controlled,super effective,low,scheduled
-22,none,controlled,super effective,medium,scheduled
-23,none,controlled,super effective,high,scheduled
-24,none,controlled,super effective,very high,scheduled
-25,none,open,laborious,low,defer
-26,none,open,laborious,medium,scheduled
-27,none,open,laborious,high,scheduled
-28,none,open,laborious,very high,scheduled
-29,none,open,efficient,low,scheduled
-30,none,open,efficient,medium,scheduled
-31,none,open,efficient,high,scheduled
-32,none,open,efficient,very high,scheduled
-33,none,open,super effective,low,scheduled
-34,none,open,super effective,medium,scheduled
-35,none,open,super effective,high,scheduled
-36,none,open,super effective,very high,out-of-cycle
-37,PoC,small,laborious,low,defer
-38,PoC,small,laborious,medium,scheduled
-39,PoC,small,laborious,high,scheduled
-40,PoC,small,laborious,very high,scheduled
-41,PoC,small,efficient,low,defer
-42,PoC,small,efficient,medium,scheduled
-43,PoC,small,efficient,high,scheduled
-44,PoC,small,efficient,very high,scheduled
-45,PoC,small,super effective,low,scheduled
-46,PoC,small,super effective,medium,scheduled
-47,PoC,small,super effective,high,scheduled
-48,PoC,small,super effective,very high,scheduled
-49,PoC,controlled,laborious,low,defer
-50,PoC,controlled,laborious,medium,scheduled
-51,PoC,controlled,laborious,high,scheduled
-52,PoC,controlled,laborious,very high,scheduled
-53,PoC,controlled,efficient,low,scheduled
-54,PoC,controlled,efficient,medium,scheduled
-55,PoC,controlled,efficient,high,scheduled
-56,PoC,controlled,efficient,very high,scheduled
-57,PoC,controlled,super effective,low,scheduled
-58,PoC,controlled,super effective,medium,scheduled
-59,PoC,controlled,super effective,high,scheduled
-60,PoC,controlled,super effective,very high,out-of-cycle
-61,PoC,open,laborious,low,defer
-62,PoC,open,laborious,medium,scheduled
-63,PoC,open,laborious,high,scheduled
-64,PoC,open,laborious,very high,out-of-cycle
-65,PoC,open,efficient,low,scheduled
-66,PoC,open,efficient,medium,scheduled
-67,PoC,open,efficient,high,scheduled
-68,PoC,open,efficient,very high,out-of-cycle
-69,PoC,open,super effective,low,scheduled
-70,PoC,open,super effective,medium,scheduled
-71,PoC,open,super effective,high,out-of-cycle
-72,PoC,open,super effective,very high,out-of-cycle
-73,active,small,laborious,low,scheduled
-74,active,small,laborious,medium,scheduled
-75,active,small,laborious,high,out-of-cycle
-76,active,small,laborious,very high,out-of-cycle
-77,active,small,efficient,low,scheduled
-78,active,small,efficient,medium,scheduled
-79,active,small,efficient,high,out-of-cycle
-80,active,small,efficient,very high,out-of-cycle
-81,active,small,super effective,low,scheduled
-82,active,small,super effective,medium,scheduled
-83,active,small,super effective,high,out-of-cycle
-84,active,small,super effective,very high,out-of-cycle
-85,active,controlled,laborious,low,scheduled
-86,active,controlled,laborious,medium,scheduled
-87,active,controlled,laborious,high,out-of-cycle
-88,active,controlled,laborious,very high,out-of-cycle
-89,active,controlled,efficient,low,scheduled
-90,active,controlled,efficient,medium,scheduled
-91,active,controlled,efficient,high,out-of-cycle
-92,active,controlled,efficient,very high,out-of-cycle
-93,active,controlled,super effective,low,scheduled
-94,active,controlled,super effective,medium,out-of-cycle
-95,active,controlled,super effective,high,out-of-cycle
-96,active,controlled,super effective,very high,out-of-cycle
-97,active,open,laborious,low,scheduled
-98,active,open,laborious,medium,scheduled
-99,active,open,laborious,high,out-of-cycle
-100,active,open,laborious,very high,immediate
-101,active,open,efficient,low,scheduled
-102,active,open,efficient,medium,out-of-cycle
-103,active,open,efficient,high,immediate
-104,active,open,efficient,very high,immediate
-105,active,open,super effective,low,out-of-cycle
-106,active,open,super effective,medium,out-of-cycle
-107,active,open,super effective,high,immediate
-108,active,open,super effective,very high,immediate
diff --git a/data/csvs/deployer-options_v2_1.csv b/data/csvs/deployer-options_v2_1.csv
new file mode 100644
index 00000000..66b5f3fe
--- /dev/null
+++ b/data/csvs/deployer-options_v2_1.csv
@@ -0,0 +1,73 @@
+row,Exploitation,Exposure,Automatable,Human Impact,Priority
+1,none,small,no,low,defer
+2,none,small,no,medium,defer
+3,none,small,no,high,scheduled
+4,none,small,no,very high,scheduled
+5,none,small,yes,low,defer
+6,none,small,yes,medium,scheduled
+7,none,small,yes,high,scheduled
+8,none,small,yes,very high,scheduled
+9,none,controlled,no,low,defer
+10,none,controlled,no,medium,scheduled
+11,none,controlled,no,high,scheduled
+12,none,controlled,no,very high,scheduled
+13,none,controlled,yes,low,scheduled
+14,none,controlled,yes,medium,scheduled
+15,none,controlled,yes,high,scheduled
+16,none,controlled,yes,very high,scheduled
+17,none,open,no,low,defer
+18,none,open,no,medium,scheduled
+19,none,open,no,high,scheduled
+20,none,open,no,very high,scheduled
+21,none,open,yes,low,scheduled
+22,none,open,yes,medium,scheduled
+23,none,open,yes,high,scheduled
+24,none,open,yes,very high,out-of-cycle
+25,PoC,small,no,low,defer
+26,PoC,small,no,medium,scheduled
+27,PoC,small,no,high,scheduled
+28,PoC,small,no,very high,scheduled
+29,PoC,small,yes,low,scheduled
+30,PoC,small,yes,medium,scheduled
+31,PoC,small,yes,high,scheduled
+32,PoC,small,yes,very high,scheduled
+33,PoC,controlled,no,low,defer
+34,PoC,controlled,no,medium,scheduled
+35,PoC,controlled,no,high,scheduled
+36,PoC,controlled,no,very high,scheduled
+37,PoC,controlled,yes,low,scheduled
+38,PoC,controlled,yes,medium,scheduled
+39,PoC,controlled,yes,high,scheduled
+40,PoC,controlled,yes,very high,out-of-cycle
+41,PoC,open,no,low,defer
+42,PoC,open,no,medium,scheduled
+43,PoC,open,no,high,scheduled
+44,PoC,open,no,very high,out-of-cycle
+45,PoC,open,yes,low,scheduled
+46,PoC,open,yes,medium,scheduled
+47,PoC,open,yes,high,out-of-cycle
+48,PoC,open,yes,very high,out-of-cycle
+49,active,small,no,low,scheduled
+50,active,small,no,medium,scheduled
+51,active,small,no,high,out-of-cycle
+52,active,small,no,very high,out-of-cycle
+53,active,small,yes,low,scheduled
+54,active,small,yes,medium,scheduled
+55,active,small,yes,high,out-of-cycle
+56,active,small,yes,very high,out-of-cycle
+57,active,controlled,no,low,scheduled
+58,active,controlled,no,medium,scheduled
+59,active,controlled,no,high,out-of-cycle
+60,active,controlled,no,very high,out-of-cycle
+61,active,controlled,yes,low,scheduled
+62,active,controlled,yes,medium,out-of-cycle
+63,active,controlled,yes,high,out-of-cycle
+64,active,controlled,yes,very high,out-of-cycle
+65,active,open,no,low,scheduled
+66,active,open,no,medium,scheduled
+67,active,open,no,high,out-of-cycle
+68,active,open,no,very high,immediate
+69,active,open,yes,low,out-of-cycle
+70,active,open,yes,medium,out-of-cycle
+71,active,open,yes,high,immediate
+72,active,open,yes,very high,immediate
\ No newline at end of file
diff --git a/doc/graphics/ssvc_2_deployer_SeEUMss.pdf b/doc/graphics/ssvc_2_deployer_SeEUMss.pdf
index 27590550..986007d3 100644
Binary files a/doc/graphics/ssvc_2_deployer_SeEUMss.pdf and b/doc/graphics/ssvc_2_deployer_SeEUMss.pdf differ
diff --git a/doc/graphics/ssvc_2_deployer_SeEUMss.tex b/doc/graphics/ssvc_2_deployer_SeEUMss.tex
index cfa607e9..61cac58b 100644
--- a/doc/graphics/ssvc_2_deployer_SeEUMss.tex
+++ b/doc/graphics/ssvc_2_deployer_SeEUMss.tex
@@ -46,60 +46,42 @@
for tree={s sep*=0.33, l sep=20mm, child anchor=west, anchor=west, grow=east, calign=center, tier/.pgfmath=level()}, forked edges,
[Exploitation, rectangle, draw,
[Exposure, rectangle, draw, my label={active},
-[Utility, rectangle, draw, my label={open},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={open},
+[Human Impact, rectangle, draw, my label={yes},
[, immediate, my label={very high} ]
[, immediate, my label={high} ]
[, out-of-cycle, my label={medium} ]
[, out-of-cycle, my label={low} ]
]
-[Human Impact, rectangle, draw, my label={efficient},
-[, immediate, my label={very high} ]
-[, immediate, my label={high} ]
-[, out-of-cycle, my label={medium} ]
-[, scheduled, my label={low} ]
-]
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
[, immediate, my label={very high} ]
[, out-of-cycle, my label={high} ]
[, scheduled, my label={medium} ]
[, scheduled, my label={low} ]
]
]
-[Utility, rectangle, draw, my label={controlled},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={controlled},
+[Human Impact, rectangle, draw, my label={yes},
[, out-of-cycle, my label={very high} ]
[, out-of-cycle, my label={high} ]
[, out-of-cycle, my label={medium} ]
[, scheduled, my label={low} ]
]
-[Human Impact, rectangle, draw, my label={efficient},
-[, out-of-cycle, my label={very high} ]
-[, out-of-cycle, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-]
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
[, out-of-cycle, my label={very high} ]
[, out-of-cycle, my label={high} ]
[, scheduled, my label={medium} ]
[, scheduled, my label={low} ]
]
]
-[Utility, rectangle, draw, my label={small},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={small},
+[Human Impact, rectangle, draw, my label={yes},
[, out-of-cycle, my label={very high} ]
[, out-of-cycle, my label={high} ]
[, scheduled, my label={medium} ]
[, scheduled, my label={low} ]
]
-[Human Impact, rectangle, draw, my label={efficient},
-[, out-of-cycle, my label={very high} ]
-[, out-of-cycle, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-]
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
[, out-of-cycle, my label={very high} ]
[, out-of-cycle, my label={high} ]
[, scheduled, my label={medium} ]
@@ -108,60 +90,42 @@
]
]
[Exposure, rectangle, draw, my label={PoC},
-[Utility, rectangle, draw, my label={open},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={open},
+[Human Impact, rectangle, draw, my label={yes},
[, out-of-cycle, my label={very high} ]
[, out-of-cycle, my label={high} ]
[, scheduled, my label={medium} ]
[, scheduled, my label={low} ]
]
-[Human Impact, rectangle, draw, my label={efficient},
-[, out-of-cycle, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-]
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
[, out-of-cycle, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
[, defer, my label={low} ]
]
]
-[Utility, rectangle, draw, my label={controlled},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={controlled},
+[Human Impact, rectangle, draw, my label={yes},
[, out-of-cycle, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
[, scheduled, my label={low} ]
]
-[Human Impact, rectangle, draw, my label={efficient},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-]
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
[, scheduled, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
[, defer, my label={low} ]
]
]
-[Utility, rectangle, draw, my label={small},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={small},
+[Human Impact, rectangle, draw, my label={yes},
[, scheduled, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
[, scheduled, my label={low} ]
]
-[Human Impact, rectangle, draw, my label={efficient},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, defer, my label={low} ]
-]
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
[, scheduled, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
@@ -170,60 +134,42 @@
]
]
[Exposure, rectangle, draw, my label={none},
-[Utility, rectangle, draw, my label={open},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={open},
+[Human Impact, rectangle, draw, my label={yes},
[, out-of-cycle, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
[, scheduled, my label={low} ]
]
-[Human Impact, rectangle, draw, my label={efficient},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-]
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
[, scheduled, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
[, defer, my label={low} ]
]
]
-[Utility, rectangle, draw, my label={controlled},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={controlled},
+[Human Impact, rectangle, draw, my label={yes},
[, scheduled, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
[, scheduled, my label={low} ]
]
-[Human Impact, rectangle, draw, my label={efficient},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, defer, my label={low} ]
-]
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
[, scheduled, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
[, defer, my label={low} ]
]
]
-[Utility, rectangle, draw, my label={small},
-[Human Impact, rectangle, draw, my label={super effective},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, defer, my label={low} ]
-]
-[Human Impact, rectangle, draw, my label={efficient},
+[Automatable, rectangle, draw, my label={small},
+[Human Impact, rectangle, draw, my label={yes},
[, scheduled, my label={very high} ]
[, scheduled, my label={high} ]
[, scheduled, my label={medium} ]
[, defer, my label={low} ]
]
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
[, scheduled, my label={very high} ]
[, scheduled, my label={high} ]
[, defer, my label={medium} ]
diff --git a/doc/md_src_files/060_decision-trees.md b/doc/md_src_files/060_decision-trees.md
index 0ead80b8..1ea6d5fd 100644
--- a/doc/md_src_files/060_decision-trees.md
+++ b/doc/md_src_files/060_decision-trees.md
@@ -5,11 +5,11 @@ The definition of choices can take a logical form, such as:
- IF
- ([*Exploitation*](#exploitation) IS [PoC](#exploitation)) AND
- ([*Exposure*](#exposure) IS [controlled](#exploitation)) AND
- - ([*Utility*](#utility) IS [laborious](#utility)) AND
+ - ([*Automatable*](#automatable) IS [no](#automatable)) AND
- ([*Human Impact*](#human-impact) IS [medium](#human-impact))
- THEN priority is *scheduled*.
-This logical statement is captured in line 50 of the deployer .csv file.
+This logical statement is captured in line 35 of the deployer .csv file.
There are different formats for capturing these prioritization decisions depending on how and where they are going to be used.
In this paper, we primarily represent a full set of guidance on how one stakeholder will make a decision as a **decision tree**.
diff --git a/doc/md_src_files/080_workedExample.md b/doc/md_src_files/080_workedExample.md
index a243d2a6..01213665 100644
--- a/doc/md_src_files/080_workedExample.md
+++ b/doc/md_src_files/080_workedExample.md
@@ -23,8 +23,8 @@ However, since most of the hospital’s clients have not installed the app, and
According to the fictional pilot scenario, “Our mission dictates that the first and foremost priority is to contribute to human welfare and to uphold the Hippocratic oath (do no harm).” The continuity of operations planning for a hospital is complex, with many MEFs. However, even from this abstract, it seems clear that “do no harm” is at risk due to this vulnerability. A mission essential function to that mission is each of the various medical devices works as expected, or at least if a device fails, it cannot actively be used to inflict harm. Unsolicited insulin delivery would mean that MEF “fails for a period of time longer than acceptable,” matching the description of MEF failure. The question is then whether the whole mission fails, which does not seem to be the case. The recovery of MEF functioning is not affected, and most MEFs (the emergency services, surgery, oncology, administration, etc.) would be unaffected. Therefore, we select [*MEF failure*](#mission-impact) and move on to ask about safety impact.
This particular pilot study used SSVC version 1.
-In the suggested deployer tree for SSVC version 2, mission and safety impact would be used to calculate the overall [*Human Impact*](#human-impat), and [*Utility*](#utility) would need to be answered as well.
-Conducting further studies with the recommended version 2 Deployer tree remains an area of future work.
+In the suggested deployer tree for SSVC version 2.1, mission and safety impact would be used to calculate the overall [*Human Impact*](#human-impat), and [*Automatable*](#automatable) would need to be answered as well.
+Conducting further studies with the recommended version 2.1 Deployer tree remains an area of future work.
In the pilot study, this information is conveyed as follows:
- **Use of the cyber-physical system**: Insulin pumps are used to regulate blood glucose levels in diabetics. Diabetes is extremely common in the US. Misregulation of glucose can cause a variety of problems. Minor misregulation causes confusion or difficulty concentrating. Long-term minor mismanagement causes weigh management issues and blindness. Severe acute mismanagement can lead unconsciousness in a matter of minutes and death in a matter of hours. The impacted insulin pumps have a local (on-patient) wireless control, so wires to the pump do not have to be connected to the patient's control of the system, making the system lighter and less prone to be ripped out.
diff --git a/favicon.ico b/favicon.ico
new file mode 100644
index 00000000..1db26945
Binary files /dev/null and b/favicon.ico differ
diff --git a/index.html b/index.html
index 3087d9c4..65421433 100644
--- a/index.html
+++ b/index.html
@@ -1,469 +1,11 @@
-
-
- CERT/CC Demo Server - Dryad SSVC Calc App
-
-
-
-
-
-
-
-
-
-
-
+
+ SSVC Calculator Redirecting
-
-
-
- None: There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.
-
- PoC:
- (Proof of Concept)One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. Some examples of condition (4) are open-source web proxies serve as the PoC code for how to exploit any vulnerability in the vein of improper validation of TLS certificates. As another example, Wireshark serves as a PoC for packet replay attacks on ethernet or WiFi networks.
-
- Active: Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting.
-
-
-
Virulence choices
- Slow: Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. Example reasons for why a step may not be reliably automatable include (1) the vulnerable component is not searchable or enumerable on the network, (2) weaponization may require human direction for each target, (3) delivery may require channels that widely deployed network security configurations block, and (4) exploitation may be frustrated by adequate exploit-prevention techniques enabled by default; ASLR is an example of an exploit-prevention tool.
-
- Rapid: Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows unauthenticated remote code execution (RCE) or command injection, the response is likely rapid.
-
-
-
Technical Impact
- Partial: The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. In this context, “low” means that the attacker cannot reasonably make enough attempts to overcome the low chance of each attempt not working. Denial of service is a form of limited control over the behavior of the vulnerable component.
-
- Total: The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.
-
-
-
-
Mission Prevelance choices
- Minimal: Neither support nor essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component nor does it support (enough) mission essential functions.
-
- Support: The operation of the vulnerable component merely supports mission essential functions for two or more entities.
- EssentialThe vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity, and failure may (but need not) lead to overall mission failure.
-
-
-
Vulnerability Scoring Decisions
- Track The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
-
- Track * Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
-
- Attend The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
-
- Act The vulnerability requires immediate action by the relevant leadership. The action is a high-priority meeting among the relevant supervisors to decide how to respond.
-
-
-
-
-
-
-
- Determining Mission & Well-being impact value
-
-
-
-
Public Well-Being Impact
-
Minimal
Material
Irreversible
-
Mission Prevalence
Minimal
Low
Medium
High
Support
Medium
Medium
High
Essential
High
High
High
-
-
-
-
-
-
-
Public Well-being Impact Decision Values
-
-
-
Impact
Type of Harm
Description
Minimal
All
The effect is below the threshold for all aspects described in material.
Material (Any one or more of these conditions hold.)
Physical harm
Physical distress and injuries for users (not operators) of the system.
Operator resiliency
If the operator is expected to be able to keep the cyber-physical system safely operating (that is, prevents one of the other types of harm), then select this option if one of these three apply: system operator must react to exploitation of the vulnerability to maintain safe system state but operator actions would be within their capabilities; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
System resiliency
Cyber-physical system’s safety margin effectively eliminated but no actual harm; OR failure of cyber-physical system functional capabilities that support safe operation.
Environment
Major externalities (property damage, environmental damage, etc.) imposed on other parties.
Financial
Financial losses that likely lead to bankruptcy of multiple persons.
Psychological
Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people.
Irreversible (Any one or more of these conditions hold.)
Physical harm
Multiple fatalities likely.
Operator resiliency
Operator is incapacitated, where operator usually maintains safe cyber-physical system operations, and so other harms at this level are likely.
System resiliency
Total loss of whole cyber-physical system of which the software is a part.
Environment
Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
Financial
Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse.
- Our proposed SSVC approach for vulnerability prioritization takes the form of decision trees. This decision tree can be adapted for different vulnerability management stakeholders such as patch developers and patch appliers. In this instance of Drayd - SSVC calculator app, SSVC is being prototyped for CISA in their unique role as advisors to be able to provide decision support to various stakeholders and influence their prioritization of vulnerabilities.
-
-
-
-
Decision Tree Usage:
-
- Click on the button to see
- the complete decision tree at a glance. Each circle
-
- represents a decision point or
- stage/fork in the decision tree. You can move your mouse over each circle
- to get a glimpse at the definition of the choices you can make after that stage/fork.
- The path (branch) leading to the next stage fork is labeled
- also as it leads you to the next stage/fork represented by a circle.
-
-
-
- When using for a new SSVC calculation with
-
-
- You can move your mouse over circle
-
- or on the text
-
- Exploitation
- that represents a stage/fork in the decision tree
- to get information
- on choices you can make for
- your next stage/fork of the tree.
- You will see each branch will also be be labeled
- that leads you to the next stage/fork.
- You can make the appropriate choice by clicking on the text "partial" or on the
- circle where your chosen path ends or terminates. Follow these steps on the decision tree.
- When prompted for more complex decision making like
-
- Mission & Well-Being Impact, you will be presented with more choices,
- you can click on
- ? to get more help in
- understanding and making the right choices.
-
- 
-
- 
-
-
- 
-
-