POKERTH SCORING SYSTEM FULL
Protection Poker is played during an iteration planning meeting, and it is recommended that the full team (including developers, testers, product managers or business owners, project managers, usability engineers, security engineers, software security experts, and others) participates. In the evaluation of asset value and exposure, numbers should be assigned relative to these endpoints, as well as the values assigned for previously assessed requirements. Exposure: The team asks itself: what types of functional requirements can open up most for attacks, and which functional requirements can limit exposure, and assign a '100' and a 'They asset they can think of as most important is given a '100' and the asset they can think of with little value is given a '<10'. Asset value: The team asks itself: what assets are most important in this system, and what assets are of little value.That would make it very hard to make prioritizations within the project.īefore starting to play Protection Poker for a system, it is thus recommended to perform calibration. This is to avoid that, e.g., high risk projects rate every requirement as high risk. Thus a 100 should be given to asset values and exposures that are high for this project, and similarly <10 should be given to asset values and exposures that are low for this project.
To be able to prioritise between different requirements, it is important to be able to get a spread in the numbers assigned. What these numbers mean may however vary between different development projects. Protection Poker uses the following numbers to determine asset value or system exposure: <10, 20, 30, 40, 50, 60, 70, 80, 90, 100. what does a <10 or a 100 mean for this product? Calibration – what to do before playing Protection Poker for a new software system Before starting to play Protection Poker for a system, it is thus recommended to perform calibration in order to arrive at a common understanding of the end-points of the scale, i.e. The goal is not to come to a "perfect" and "universal" risk value, but to rate the security risk of the requirements in order to be able to better prioritise security effort. With Protection Poker, risk of a requirement is rated compared to other requirements of the same system. Assets are typically considered to be database tables or system processes that the new functionality controls.
highly determines the consequences that a successful attack may have. For asset value, the value of the asset for various groups should be considered: the value of the asset for an attacker is important for attacker motivation, whereas the value of the asset for customers, users, the business, etc. Exposure relates to how hard or easy this change in functionality makes it to attack the system, and in the evaluation of exposure, one should consider the possible ways in which attackers can attack the system (attack surface), what type of breaches they can perform (confidentiality, integrity, availability) and the skill level required. Risk is always related to the requirements that are to be implemented in the next iteration, often this will be some new, enhanced or corrected functionality. risk = (the total value of all assets that could be exploited with a successful attack) × (the exposure).
Protection Poker uses a slight variation of the traditional computation of risk:
POKERTH SCORING SYSTEM HOW TO
How to play Protection Poker Risk in Protection Poker – how is it determined?