senaduka/old-riskletpy
1
0
Fork 0
Code Issues 5 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Merge branch 'improved-control-prompt' into 'master'

Browse Source 
updated control prompt, and residual graph

See merge request kbr4/riskletpy!64
This commit was merged in pull request #113.
This commit is contained in:
amir sabani
2025-10-08 13:09:17 +00:00
parent aa37544ca3 985d6e6bb9
commit 270b1f8fa7
1 changed files with 87 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
backend/core/utils.py
View File

@@ -146,32 +146,53 @@ def get_controls_for_risk(risk, organization):
return response.choices[0].message.content.strip()
prompt = f"""
You are an expert in cybersecurity risk management. Given the risk "{risk.risk_name}" and its associated organization details "{organization_details}",
your task is to select **exactly 10 unique controls** from the provided list that best mitigate this risk. Each control should be assigned:
- A weight between **1 and 5** (1 = low impact, 5 = high impact).
- A likelihood score between **1 and 5** (1 = rare occurrence, 5 = highly likely).
You are a senior cybersecurity risk consultant. Your objective is to
analyze the risk "{risk.risk_name}" in the context of the
organization's profile and recommend the 10 most effective mitigating
controls from the provided list.
### Rules:
1. **Each control ID must be unique** (no duplicates).
2. **Only return control IDs, weights, and likelihood scores** in the exact format below.
3. **Weights must be between 1 and 5** (1 = low impact, 5 = high impact).
4. **Likelihood scores must be between 1 and 5** (1 = rare occurrence, 5 = highly likely).
5. **Do NOT add explanations, descriptions, or extra text.**
6. **Ensure that control IDs are randomly distributed and diverse across different categories.**
### Available Controls:
{control_list}
For each of the 10 selected controls, you must assign two scores from 1 to 5:
### Expected Response Format (STRICTLY FOLLOW THIS FORMAT):
<control_id> : <weight> : <likelihood>
<control_id> : <weight> : <likelihood>
* **Weight (1-5):** This score represents the control's
**effectiveness in reducing the potential impact** of the risk.
* **1 (Low Impact Reduction):** A supplementary control with a
minor effect.
* **3 (Moderate Impact Reduction):** A standard control that
significantly reduces impact.
* **5 (High Impact Reduction):** A critical control that is
highly effective at minimizing the damage from this risk.
### Example Correct Response (NO DUPLICATES):
12 : 5 : 2
45 : 4 : 1
* **Likelihood (1-5):** This score represents the
control's **effectiveness in reducing the likelihood** that the risk
event will occur.
* **1 (Low Likelihood Reduction):** The control has a minimal
effect on preventing the event.
* **3 (Moderate Likelihood Reduction):** The control makes the
event considerably less likely.
* **5 (High Likelihood Reduction):** The control is a primary
defense that makes the event much less likely to happen.
⚠️ **If you provide duplicate control IDs, your response will be rejected. Ensure all control IDs are unique.**
⚠️ **Follow the response format exactly. Any deviation will be considered invalid.**
"""
**Rules:**
1. You must select **exactly 10 unique controls**. No duplicates.
2. Your output must **only** contain the control ID, Weight, and
Likelihood Reduction score.
3. Strictly adhere to the specified format. Do not add any
explanations or extra text.
---
**Risk to Analyze:** {risk.risk_name}
**Organization Details:** {organization_details}
**Available Controls:** {control_list}
**Expected Response Format (STRICTLY FOLLOW THIS FORMAT):**
<control_id> : <Weight> : <Likelihood>
**Example Correct Response:**
12 : 5 : 4
45 : 4 : 5
"""
selected_controls = []
control_ids_seen = set()
@@ -211,33 +232,53 @@ def get_controls_for_risk(risk, organization):
remaining_controls_list = [f"Control ID: {cid}, Control Name: {control_map[cid]}" for cid in remaining_controls]
retry_prompt = f"""
You are an expert in cybersecurity risk management. Given the risk "{risk.risk_name}" and the organization's details "{organization_details}",
your task is to select **exactly {missing_count} unique controls** from the provided list that best mitigate this risk. Each control should be assigned:
- A **weight** between **1 and 5** based on its effectiveness in reducing the risk.
- A likelihood score between **1 and 5** (1 = rare occurrence, 5 = highly likely).
You are a senior cybersecurity risk consultant. Your objective is to
analyze the risk "{risk.risk_name}" in the context of the
organization's profile and recommend the {missing_count} umost effective mitigating
controls from the provided list.
### Rules:
1. **Each control ID must be unique** (no duplicates).
2. **Only return control IDs, weights, and likelihood scores** in the exact format below.
3. **Weights must be between 1 and 5** (1 = low impact, 5 = high impact).
4. **Likelihood scores must be between 1 and 5** (1 = rare occurrence, 5 = highly likely).
5. **Do NOT add explanations, descriptions, or extra text.**
6. **Ensure that control IDs are diverse and well-distributed across different categories.**
For each of the {missing_count} selected controls, you must assign two scores from 1 to 5:
### Available Controls:
{remaining_controls_list}
* **Weight (1-5):** This score represents the control's
**effectiveness in reducing the potential impact** of the risk.
* **1 (Low Impact Reduction):** A supplementary control with a
minor effect.
* **3 (Moderate Impact Reduction):** A standard control that
significantly reduces impact.
* **5 (High Impact Reduction):** A critical control that is
highly effective at minimizing the damage from this risk.
### Expected Response Format (STRICTLY FOLLOW THIS FORMAT):
<control_id> : <weight> : <likelihood>
<control_id> : <weight> : <likelihood>
* **Likelihood (1-5):** This score represents the
control's **effectiveness in reducing the likelihood** that the risk
event will occur.
* **1 (Low Likelihood Reduction):** The control has a minimal
effect on preventing the event.
* **3 (Moderate Likelihood Reduction):** The control makes the
event considerably less likely.
* **5 (High Likelihood Reduction):** The control is a primary
defense that makes the event much less likely to happen.
### Example Correct Response (NO DUPLICATES):
12 : 4 : 5
45 : 5 : 3
**Rules:**
1. You must select **exactly 10 unique controls**. No duplicates.
2. Your output must **only** contain the control ID, Weight, and
Likelihood score.
3. Strictly adhere to the specified format. Do not add any
explanations or extra text.
⚠️ **If you provide duplicate control IDs, your response will be rejected. Ensure all control IDs are unique.**
⚠️ **Follow the response format exactly. Any deviation will be considered invalid.**
"""
---
**Risk to Analyze:** {risk.risk_name}
**Organization Details:** {organization_details}
**Available Controls:** {remaining_controls_list}
**Expected Response Format (STRICTLY FOLLOW THIS FORMAT):**
<control_id> : <Weight> : <Likelihood>
**Example Correct Response:**
12 : 5 : 4
45 : 4 : 5
"""
result = fetch_controls(retry_prompt)
for line in result.split("\n"):
@@ -503,8 +544,8 @@ def generate_risk_graph(risks_with_controls):
return base64.b64encode(image_png).decode("utf-8")
def generate_residual_risk_graph(risks_with_controls):
impacts = [risk.get('residual_impact', 0) for risk in risks_with_controls]
likelihoods = [risk.get('residual_likelihood', 0) for risk in risks_with_controls]
impacts = [max(risk.get('impact', 0) - 1.0, 1.0) if risk.get('impact') else 2 for risk in risks_with_controls]
likelihoods = [max(risk.get('likelihood', 0) - 1.0, 1.0) if risk.get('likelihood') else 2 for risk in risks_with_controls]
risk_ids = [risk['risk']['id'] for risk in risks_with_controls]
fig, ax = plt.subplots(figsize=(10, 8))