[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Current status on Confidence, Intel Note, and Opinion
.02: Re: Subjective Measures Since we evidently have consensus on the 0-100 scale for confidence, we should adopt this representation for all subjective measures, assertions, etc. We should be able to apply consistent methods to process these mathematically/statistically. Example: An "opinion" is an assertion by an entity. Like all subjective measures, one might want/need to assign a weight/scaling factor to an "opinion" on the basis of the receiving entities rating for this source (or sources in the aggregate). Therefore, if we adopt a common scale and numeric representation for all of these subjective types of measures and representations, we can easily calculate (e.g., sum, average, std deviation), weight, aggregate, etc. Patrick Maroney All, We wanted to send out a current status for several of the items we’re working through for STIX 2.1.
Confidence: This is currently at consensus. We have reviewed both the implementation and the scales, and people seem to agree that they are good enough. Since this topic has already been discussed at a monthly
TC-wide call, the text is being moved from the 2.1 working document into the 2.1 proposed specification document. Intel Note: This is mostly at consensus. On the working calls this week, we discussed the author property, and debated if it should be a string field or a reference to an identity object. The agreement was
to make it a string. If there are no complaints or issues with this change, then this SDO is also at consensus. We will bring this SDO up on the next full-TC call in April, as per our workflow, and if we get agreement there, we will be ready to move this text
from the 2.1 working document into the 2.1 specification as well. If there are concerns with this field being a string, please raise them on the list. We will also create a poll in the #polls channel in slack.
Opinion: This one still has debate going on, and we have not achieved consensus. On the working calls this week, we did agree to change the object_ref property from a single identifier to a list of type
identifier. At least two open questions remain that need to be decided. The first is that of the scale. Currently, we have the scale as a value 1-5, with a mapping to a closed vocabulary (Strongly Agree, Agree, Neutral, Disagree, Strongly Disagree). It was
done numerically in order to provide the ability to do statistics on the opinions. There has been a suggestion to change this to a simple closed vocabulary, and remove the 1-5 values. The second open question is that of a description field. Currently, this
object doesn’t have a description field. This was done to keep the object small, and to help differentiate it from other similar objects (like Intel Note). The idea is that if you need to add a description, you would create an Intel Note object and point it
at the Opinion object. Others feel this is two heavy handed, and we should just add a description field back into the Opinion object itself. Again, if you have comments on either of these open questions, please reply to the list with your thoughts. We will
also create polls in the #polls channel in slack. Now that we have consensus on two of our objects (Confidence and Intel Note), we will be able to move on to the next item on our list, which is Location, which will be discussed on an upcoming
working call, hopefully Tuesday April 4th. Thanks, Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email: cert@cisecurity.org Follow us @CISecurity . . . |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]