From 985d6e6bb96f497dd391057db179694d3effaf80 Mon Sep 17 00:00:00 2001 From: Amir Date: Wed, 8 Oct 2025 15:06:49 +0200 Subject: [PATCH] updated control prompt, and residual graph --- backend/core/utils.py | 133 +++++++++++++++++++++++++++--------------- 1 file changed, 87 insertions(+), 46 deletions(-) diff --git a/backend/core/utils.py b/backend/core/utils.py index b9367d8..abbef54 100644 --- a/backend/core/utils.py +++ b/backend/core/utils.py @@ -146,32 +146,53 @@ def get_controls_for_risk(risk, organization): return response.choices[0].message.content.strip() prompt = f""" - You are an expert in cybersecurity risk management. Given the risk "{risk.risk_name}" and its associated organization details "{organization_details}", - your task is to select **exactly 10 unique controls** from the provided list that best mitigate this risk. Each control should be assigned: - - A weight between **1 and 5** (1 = low impact, 5 = high impact). - - A likelihood score between **1 and 5** (1 = rare occurrence, 5 = highly likely). + You are a senior cybersecurity risk consultant. Your objective is to + analyze the risk "{risk.risk_name}" in the context of the + organization's profile and recommend the 10 most effective mitigating + controls from the provided list. - ### Rules: - 1. **Each control ID must be unique** (no duplicates). - 2. **Only return control IDs, weights, and likelihood scores** in the exact format below. - 3. **Weights must be between 1 and 5** (1 = low impact, 5 = high impact). - 4. **Likelihood scores must be between 1 and 5** (1 = rare occurrence, 5 = highly likely). - 5. **Do NOT add explanations, descriptions, or extra text.** - 6. **Ensure that control IDs are randomly distributed and diverse across different categories.** - ### Available Controls: - {control_list} + For each of the 10 selected controls, you must assign two scores from 1 to 5: - ### Expected Response Format (STRICTLY FOLLOW THIS FORMAT): - : : - : : + * **Weight (1-5):** This score represents the control's + **effectiveness in reducing the potential impact** of the risk. + * **1 (Low Impact Reduction):** A supplementary control with a + minor effect. + * **3 (Moderate Impact Reduction):** A standard control that + significantly reduces impact. + * **5 (High Impact Reduction):** A critical control that is + highly effective at minimizing the damage from this risk. - ### Example Correct Response (NO DUPLICATES): - 12 : 5 : 2 - 45 : 4 : 1 + * **Likelihood (1-5):** This score represents the + control's **effectiveness in reducing the likelihood** that the risk + event will occur. + * **1 (Low Likelihood Reduction):** The control has a minimal + effect on preventing the event. + * **3 (Moderate Likelihood Reduction):** The control makes the + event considerably less likely. + * **5 (High Likelihood Reduction):** The control is a primary + defense that makes the event much less likely to happen. - ⚠️ **If you provide duplicate control IDs, your response will be rejected. Ensure all control IDs are unique.** - ⚠️ **Follow the response format exactly. Any deviation will be considered invalid.** - """ + **Rules:** + 1. You must select **exactly 10 unique controls**. No duplicates. + 2. Your output must **only** contain the control ID, Weight, and + Likelihood Reduction score. + 3. Strictly adhere to the specified format. Do not add any + explanations or extra text. + + --- + **Risk to Analyze:** {risk.risk_name} + + **Organization Details:** {organization_details} + + **Available Controls:** {control_list} + + **Expected Response Format (STRICTLY FOLLOW THIS FORMAT):** + : : + + **Example Correct Response:** + 12 : 5 : 4 + 45 : 4 : 5 + """ selected_controls = [] control_ids_seen = set() @@ -211,33 +232,53 @@ def get_controls_for_risk(risk, organization): remaining_controls_list = [f"Control ID: {cid}, Control Name: {control_map[cid]}" for cid in remaining_controls] retry_prompt = f""" - You are an expert in cybersecurity risk management. Given the risk "{risk.risk_name}" and the organization's details "{organization_details}", - your task is to select **exactly {missing_count} unique controls** from the provided list that best mitigate this risk. Each control should be assigned: - - A **weight** between **1 and 5** based on its effectiveness in reducing the risk. - - A likelihood score between **1 and 5** (1 = rare occurrence, 5 = highly likely). + You are a senior cybersecurity risk consultant. Your objective is to + analyze the risk "{risk.risk_name}" in the context of the + organization's profile and recommend the {missing_count} umost effective mitigating + controls from the provided list. - ### Rules: - 1. **Each control ID must be unique** (no duplicates). - 2. **Only return control IDs, weights, and likelihood scores** in the exact format below. - 3. **Weights must be between 1 and 5** (1 = low impact, 5 = high impact). - 4. **Likelihood scores must be between 1 and 5** (1 = rare occurrence, 5 = highly likely). - 5. **Do NOT add explanations, descriptions, or extra text.** - 6. **Ensure that control IDs are diverse and well-distributed across different categories.** + For each of the {missing_count} selected controls, you must assign two scores from 1 to 5: - ### Available Controls: - {remaining_controls_list} + * **Weight (1-5):** This score represents the control's + **effectiveness in reducing the potential impact** of the risk. + * **1 (Low Impact Reduction):** A supplementary control with a + minor effect. + * **3 (Moderate Impact Reduction):** A standard control that + significantly reduces impact. + * **5 (High Impact Reduction):** A critical control that is + highly effective at minimizing the damage from this risk. - ### Expected Response Format (STRICTLY FOLLOW THIS FORMAT): - : : - : : + * **Likelihood (1-5):** This score represents the + control's **effectiveness in reducing the likelihood** that the risk + event will occur. + * **1 (Low Likelihood Reduction):** The control has a minimal + effect on preventing the event. + * **3 (Moderate Likelihood Reduction):** The control makes the + event considerably less likely. + * **5 (High Likelihood Reduction):** The control is a primary + defense that makes the event much less likely to happen. - ### Example Correct Response (NO DUPLICATES): - 12 : 4 : 5 - 45 : 5 : 3 + **Rules:** + 1. You must select **exactly 10 unique controls**. No duplicates. + 2. Your output must **only** contain the control ID, Weight, and + Likelihood score. + 3. Strictly adhere to the specified format. Do not add any + explanations or extra text. - ⚠️ **If you provide duplicate control IDs, your response will be rejected. Ensure all control IDs are unique.** - ⚠️ **Follow the response format exactly. Any deviation will be considered invalid.** - """ + --- + **Risk to Analyze:** {risk.risk_name} + + **Organization Details:** {organization_details} + + **Available Controls:** {remaining_controls_list} + + **Expected Response Format (STRICTLY FOLLOW THIS FORMAT):** + : : + + **Example Correct Response:** + 12 : 5 : 4 + 45 : 4 : 5 + """ result = fetch_controls(retry_prompt) for line in result.split("\n"): @@ -503,8 +544,8 @@ def generate_risk_graph(risks_with_controls): return base64.b64encode(image_png).decode("utf-8") def generate_residual_risk_graph(risks_with_controls): - impacts = [risk.get('residual_impact', 0) for risk in risks_with_controls] - likelihoods = [risk.get('residual_likelihood', 0) for risk in risks_with_controls] + impacts = [max(risk.get('impact', 0) - 1.0, 1.0) if risk.get('impact') else 2 for risk in risks_with_controls] + likelihoods = [max(risk.get('likelihood', 0) - 1.0, 1.0) if risk.get('likelihood') else 2 for risk in risks_with_controls] risk_ids = [risk['risk']['id'] for risk in risks_with_controls] fig, ax = plt.subplots(figsize=(10, 8))