Browse Skills

Threat Impact Narrative Builder

    NIST CSF Risk GRC FAIR Cybersecurity
    Get Started with This Skill

    Overview

    Build and validate cybersecurity risk registers and impact narratives aligned to NIST CSF 2.0 ID.RA. The skill uses FAIR (Factor Analysis of Information Risk) for impact scenarios and includes a validation tool that flags risks where Likelihood is “High” but the Historical Incident Data section is empty, so scores stay justified and auditable.

    Example conversation

    You: We’re updating the risk register. Add a risk for unpatched internet-facing APIs and run the logic gate so we don’t ship High likelihood without incident data.

    Agent: I’ll add a risk entry with threat (external attacker), vulnerability (missing patches), impact narrative using FAIR, and a Likelihood section. For High likelihood I’ll include a Historical Incident Data section with our past incidents and industry data, then run risk_score_logic_gate on the file.

    Agent: I’ve drafted the risk in risk-register.md with the impact scenario, Likelihood: High, and a Historical Incident Data section citing our 2023 API incident and CISA advisories. Running risk_score_logic_gate

    Agent: Result of risk_score_logic_gate:

    — RISK SCORE LOGIC GATE — Result: PASS Likelihood “High” detected: yes. Historical Incident Data section: present with content. Narrative is consistent with risk score.

    The risk entry passes. You can keep it as-is or add ALE (SLE × ARO) if you want quantitative loss in the register.

    Output excerpt

    After the agent drafts a risk entry and runs the logic gate, a typical document includes threat, vulnerability, FAIR-style impact scenario, likelihood, and historical incident data. Excerpt:

    # Risk — Unpatched internet-facing APIs (ID.RA)

## Scenario

External attackers exploit known CVEs on internet-facing APIs that are not patched within the organization's SLA, leading to unauthorized access and potential data breach.

## Threat and vulnerability

- **Threat community:** External attackers (opportunistic and targeted).
- **Threat event:** Scanning and exploitation of known API vulnerabilities.
- **Asset:** Customer-facing API tier (auth, billing).
- **Vulnerability:** Patch lag beyond 30 days for critical/high CVEs; no automated blocking of known-bad endpoints.

## Impact (FAIR)

- **Loss type:** Confidentiality, integrity (data tampering), availability (ransomware/DoS).
- **Magnitude:** High — regulatory exposure (GDPR/CCPA), customer notification, reputational loss. Optional quantitative: SLE estimate $200k per incident; ARO 0.3 → ALE = $60k (document assumptions in annex).

## Likelihood

**Rating:** High. Internet-facing APIs are continuously probed; CISA and vendor advisories show frequent exploitation of similar stacks.

## Historical incident data

- Internal: Q2 2023 — attempted exploit on legacy auth API (unpatched CVE-2023-XXXX); blocked by WAF rule before exploitation; patch applied 45 days after release.
- Industry: CISA Known Exploited Vulnerabilities catalog and vendor bulletins show multiple API-related CVEs exploited in the wild; average time-to-exploit declining.

    The logic gate would pass on this text (High Likelihood with a substantive Historical Incident Data section).

    Extension tool and validations

    The skill includes one validation tool that runs on the risk register or impact narrative (Markdown or text).

    risk_score_logic_gate ensures that any risk rated High Likelihood is supported by evidence:

    • Likelihood detection — Looks for a section with a heading such as “Likelihood”, “Risk rating”, or “Risk level” (or a general threat/vulnerability/risk section) and checks whether “High” is indicated for likelihood or rating.
    • Historical Incident Data section — Looks for a heading such as “Historical Incident Data”, “Incident history”, “Past incidents”, or “Prior events” and reads the body of that section.
    • Substantive content — The section is considered present only if it has more than 30 characters of content after the heading and is not just “N/A”, “TBD”, “None”, or similar placeholders.
    • Result — PASS when either (1) Likelihood is not High, or (2) Likelihood is High and the Historical Incident Data section is present with substantive content. FAIL when Likelihood is High and the section is missing or empty, with a message to add evidence or lower the likelihood rating.

    Run this tool after drafting risk entries and before finalising the register so High likelihood is never left unjustified.

    Getting started

    Add your risk register or impact narrative (or a blank document) to the project workspace and activate the Threat Impact Narrative Builder skill. For FAIR structure and ALE (SLE × ARO), the skill’s references are loaded as needed.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started