Write up the "SSVC as human-scale bottleneck" concept #1033
Description
Is your feature request related to a problem? Please describe.
Internal to the SSVC team, we've been talking for a few years about the idea that SSVC can act as a human-scale bottleneck to decision planning sitting between large-scale data collection on one side and large-scale vulnerability response on the other. The human scale aspect of SSVC is that it allows the conversation between risk owners and technical implementers about What should we do when...? This part happens in the Prepare step of the Getting Started guide, but we don't really call it out there for what it is.
Describe the solution you'd like
Write up an explainer about how SSVC enables the conversation and allows for a governance process to be effective in the face of a lot of data and operational level decisions being made in the course of ongoing operations. Examples could include (just tossing out ideas):
- "Why did we do
$X$ ?" → "Because our data indicated that conditions$A$ ,$B$ , and$C$ were met." → "Well let's fine-tune that, because I think we should have done$Y$ in that case" → "Okay, should we add another condition$D$ to every decision, or should we just re-label the outcome for the node where$(A,B,C)$ happens?" → etc. - Data Mapping is really geared toward funneling things into the bottleneck from the left
- Use & Respond is about fanning out the model into operational use
flowchart TB
subgraph dm[Data Mapping]
collect[Collect Lots of Data]
end
subgraph ssvc[SSVC<br/>Human-Scale]
dps[SSVC Decision Points]
model[SSVC Decision Table]
end
subgraph use[Respond]
apply[Decisions]
end
gov[Governance<br/>Human-Scale]
collect -->|maps<br/>onto| dps
dps -->|input to| model
model -->|defines| apply
gov -->|refines| ssvc
use -->|informs| gov