updated control prompt, and residual graph

backend/core/utils.py

@@ -146,32 +146,53 @@ def get_controls_for_risk(risk, organization):
         return response.choices[0].message.content.strip()
 
     prompt = f"""
-    You are an expert in cybersecurity risk management. Given the risk "{risk.risk_name}" and its associated organization details "{organization_details}",
+        You are a senior cybersecurity risk consultant. Your objective is to
-    your task is to select **exactly 10 unique controls** from the provided list that best mitigate this risk. Each control should be assigned:
+        analyze the risk "{risk.risk_name}" in the context of the
-    - A weight between **1 and 5** (1 = low impact, 5 = high impact).
+        organization's profile and recommend the 10 most effective mitigating
-    - A likelihood score between **1 and 5** (1 = rare occurrence, 5 = highly likely).
+        controls from the provided list.
 
-    ### Rules:
+        For each of the 10 selected controls, you must assign two scores from 1 to 5:
-    1. **Each control ID must be unique** (no duplicates).
-    2. **Only return control IDs, weights, and likelihood scores** in the exact format below.
-    3. **Weights must be between 1 and 5** (1 = low impact, 5 = high impact).
-    4. **Likelihood scores must be between 1 and 5** (1 = rare occurrence, 5 = highly likely).
-    5. **Do NOT add explanations, descriptions, or extra text.**
-    6. **Ensure that control IDs are randomly distributed and diverse across different categories.**
-    ### Available Controls:
-    {control_list}
 
-    ### Expected Response Format (STRICTLY FOLLOW THIS FORMAT):
+        *   **Weight (1-5):** This score represents the control's
-    <control_id> : <weight> : <likelihood>
+        **effectiveness in reducing the potential impact** of the risk.
-    <control_id> : <weight> : <likelihood>
+            *   **1 (Low Impact Reduction):** A supplementary control with a
+        minor effect.
+            *   **3 (Moderate Impact Reduction):** A standard control that
+        significantly reduces impact.
+            *   **5 (High Impact Reduction):** A critical control that is
+        highly effective at minimizing the damage from this risk.
 
-    ### Example Correct Response (NO DUPLICATES):
+        *   **Likelihood (1-5):** This score represents the
-    12 : 5 : 2
+        control's **effectiveness in reducing the likelihood** that the risk
-    45 : 4 : 1
+        event will occur.
+            *   **1 (Low Likelihood Reduction):** The control has a minimal
+        effect on preventing the event.
+            *   **3 (Moderate Likelihood Reduction):** The control makes the
+        event considerably less likely.
+            *   **5 (High Likelihood Reduction):** The control is a primary
+        defense that makes the event much less likely to happen.
 
-    ⚠️ **If you provide duplicate control IDs, your response will be rejected. Ensure all control IDs are unique.**
+        **Rules:**
-    ⚠️ **Follow the response format exactly. Any deviation will be considered invalid.**
+        1.  You must select **exactly 10 unique controls**. No duplicates.
-    """
+        2.  Your output must **only** contain the control ID, Weight, and
+        Likelihood Reduction score.
+        3.  Strictly adhere to the specified format. Do not add any
+        explanations or extra text.
+
+        ---
+        **Risk to Analyze:** {risk.risk_name}
+
+        **Organization Details:** {organization_details}
+
+        **Available Controls:** {control_list}
+
+        **Expected Response Format (STRICTLY FOLLOW THIS FORMAT):**
+        <control_id> : <Weight> : <Likelihood>
+
+        **Example Correct Response:**
+        12 : 5 : 4
+        45 : 4 : 5
+        """
 
     selected_controls = []
     control_ids_seen = set()
@@ -211,33 +232,53 @@ def get_controls_for_risk(risk, organization):
         remaining_controls_list = [f"Control ID: {cid}, Control Name: {control_map[cid]}" for cid in remaining_controls]
 
         retry_prompt = f"""
-        You are an expert in cybersecurity risk management. Given the risk "{risk.risk_name}" and the organization's details "{organization_details}",
+                You are a senior cybersecurity risk consultant. Your objective is to
-        your task is to select **exactly {missing_count} unique controls** from the provided list that best mitigate this risk. Each control should be assigned:
+                analyze the risk "{risk.risk_name}" in the context of the
-        - A **weight** between **1 and 5** based on its effectiveness in reducing the risk.
+                organization's profile and recommend the {missing_count} umost effective mitigating
-        - A likelihood score between **1 and 5** (1 = rare occurrence, 5 = highly likely).
+                controls from the provided list.
 
-        ### Rules:
+                For each of the {missing_count} selected controls, you must assign two scores from 1 to 5:
-        1. **Each control ID must be unique** (no duplicates).
-        2. **Only return control IDs, weights, and likelihood scores** in the exact format below.
-        3. **Weights must be between 1 and 5** (1 = low impact, 5 = high impact).
-        4. **Likelihood scores must be between 1 and 5** (1 = rare occurrence, 5 = highly likely).
-        5. **Do NOT add explanations, descriptions, or extra text.**
-        6. **Ensure that control IDs are diverse and well-distributed across different categories.**
 
-        ### Available Controls:
+                *   **Weight (1-5):** This score represents the control's
-        {remaining_controls_list}
+                **effectiveness in reducing the potential impact** of the risk.
+                    *   **1 (Low Impact Reduction):** A supplementary control with a
+                minor effect.
+                    *   **3 (Moderate Impact Reduction):** A standard control that
+                significantly reduces impact.
+                    *   **5 (High Impact Reduction):** A critical control that is
+                highly effective at minimizing the damage from this risk.
 
-        ### Expected Response Format (STRICTLY FOLLOW THIS FORMAT):
+                *   **Likelihood (1-5):** This score represents the
-        <control_id> : <weight> : <likelihood>
+                control's **effectiveness in reducing the likelihood** that the risk
-        <control_id> : <weight> : <likelihood>
+                event will occur.
+                    *   **1 (Low Likelihood Reduction):** The control has a minimal
+                effect on preventing the event.
+                    *   **3 (Moderate Likelihood Reduction):** The control makes the
+                event considerably less likely.
+                    *   **5 (High Likelihood Reduction):** The control is a primary
+                defense that makes the event much less likely to happen.
 
-        ### Example Correct Response (NO DUPLICATES):
+                **Rules:**
-        12 : 4 : 5
+                1.  You must select **exactly 10 unique controls**. No duplicates.
-        45 : 5 : 3
+                2.  Your output must **only** contain the control ID, Weight, and
+                Likelihood score.
+                3.  Strictly adhere to the specified format. Do not add any
+                explanations or extra text.
 
-        ⚠️ **If you provide duplicate control IDs, your response will be rejected. Ensure all control IDs are unique.**
+                ---
-        ⚠️ **Follow the response format exactly. Any deviation will be considered invalid.**
+                **Risk to Analyze:** {risk.risk_name}
-        """
+
+                **Organization Details:** {organization_details}
+
+                **Available Controls:** {remaining_controls_list}
+
+                **Expected Response Format (STRICTLY FOLLOW THIS FORMAT):**
+                <control_id> : <Weight> : <Likelihood>
+
+                **Example Correct Response:**
+                12 : 5 : 4
+                45 : 4 : 5
+                """
 
         result = fetch_controls(retry_prompt)
         for line in result.split("\n"):
@@ -503,8 +544,8 @@ def generate_risk_graph(risks_with_controls):
     return base64.b64encode(image_png).decode("utf-8")
 
 def generate_residual_risk_graph(risks_with_controls):
-    impacts = [risk.get('residual_impact', 0) for risk in risks_with_controls]
+    impacts = [max(risk.get('impact', 0) - 1.0, 1.0) if risk.get('impact') else 2 for risk in risks_with_controls]
-    likelihoods = [risk.get('residual_likelihood', 0) for risk in risks_with_controls]
+    likelihoods = [max(risk.get('likelihood', 0) - 1.0, 1.0) if risk.get('likelihood') else 2 for risk in risks_with_controls]
     risk_ids = [risk['risk']['id'] for risk in risks_with_controls]
 
     fig, ax = plt.subplots(figsize=(10, 8))