Risk Tolerance Curve suggestion

[priamai]

This is not strictly required by the FAIR methodology but would be a nice addition.
Typically a CISO will draw the LOE for the inherent and residual risk, he will then ask his CTO/CEO/CFO to provide a few data points to build a risk tolerance curve.
An example from PAN talk is here:

The tolerance curve will be interpolated from the few datapoints (the user should choose from linear, expo or polynomial) provided.

The tolerance curve should then be intersected with the other two to find out the break out points.
Would be wonderful to have a class to inject such LOE from input data.

Cheers!

[priamai]

Found also an interesting tutorial here all in python:
https://fluidattacks.com/blog/quantitative-python/

[theonaunheim]

From an API perspective, how do you see this working? I.e. how does an analyst define this curve?

t_curve = np.polyfit(
   [100, 1_000, 10_000], 
   [1, .2, .1],
   3
)
fsr = FairSimpleReport([model_1, model_2))
fsr.add_tolerance_curve(t_curve)
fsr.to_html('output.html')

[priamai]

Hi @theonaunheim yes that would work!