In Axio360, there are several terms for objects that can be manipulated via API. Here is a brief explanation for these objects along with references as to where they are seen in the platform.
Assessment Model
Assessment models are control frameworks, such as the NIST CSF, C2M2, CIS 18, etc. They also include custom models that organizations can load into the platform. Each model will have a series of ‘practices’, which are the individual questions/statements in the framework, and one or more ‘dimensions’, which are the response options to those statements.
Assessment Model > Practice
A practice in an assessment model is the lowest level object that the model is evaluating. In other words, it’s the question or statement about a specific control that the user can answer. For example, practice ID.AM-1 in the NIST CSF is “Physical devices and systems within the organization are inventoried”, and the user can answer according to the response dimensions provided.
Assessment Model > Dimension
A dimension in an assessment model are the response options that will be provided to the user. Most assessment models have a single dimension, but some models may have more. Popular dimensions include FILIPINI (Fully Implemented, Largely Implemented, Partially Implemented and Not Implemented) and CMMI (Incomplete, Initial, Managed, Defined, Quantitatively Defined, Optimizing).
Assessment
An assessment is a series of responses – that is, a ‘filled-in’ version – of one of the assessment models. It includes action items and notes for each practice.
Assessment > Action Item
An action item for an assessment practice is meant as a ‘to-do’ that can be assigned to a user with a specific deadline.
Assessment > Notes
A note is a specific observation or general text comment for a specific practice.
Scenario Collection
A scenario collection is a group of Cyber Risk Scenarios that share a common scope. Typically, this scope might be for a specific enterprise or portion of an organization, but the scope definition is entirely up to the end-user. Scenario collections include firmographic meta-data for the scope, including a North American Industry Classification System (NAICS), that specifies what industry the collection is scoped to, and revenue band for the scoped entity.
Scenario
A scenario is a cyber risk that is quantified in the platform. Each scenario has a susceptibility and series of impacts associated with it. Each impact has one or more estimated values (EVs). When the Monte Carlo calculations are run, they produce an Impact Distribution and a Loss Exceedance Curve.
Scenario > Susceptibility
Susceptibility is a 5-point scale—Very Low, Low, Medium, High, Very High—that qualifies how susceptible the organization is to a specific scenario. It is combined with the “Percent Chance of Attack Per Year”, which is stored in the scenario collection to create a scenario likelihood.
Scenario > Estimated Values
Each impact has one or more estimated values (EVs) that are estimations of specific values – for example, “Number of Servers” or “Forensics Hourly Rate”. EVs have a minimum value, expected value, and maximum value, which describe the parameters of a Beta PERT distribution.
Scenario > Impact Distribution
The impact distribution of a scenario is the results of 25,000 Monte Carlo simulations of the potential impacts of the risk scenario.
Scenario > Loss Exceedance Curve
A loss exceedance curve (LEC) is a curve that show a visual representation of risk that depicts the probability of meeting or exceeding certain loss levels within a year.
Catalog Scenario
Catalog scenarios are pre-created scenarios that can be copied into a scenario collection and then customized as needed.