Conflicting rules in Rules Engine | How to approach if there's a use-case

Harsh_Shah · July 30, 2025, 11:05am

What to do in case we have conflicting rules for the same model?

I created a Rule in IRIUSRISK called “Conflict Rule 1”
- Context: Threat – Component conditions
- When: a Component of type Web Service is added
- Then: set the Threat “Authentication Bypass” to Mitigated
I created a 2nd Rule in IRIUSRISK called “Conflict Rule 2”
- Context: Threat – Component conditions
- When: a Component of type Web Service is added
- Then: set the Threat “Authentication Bypass” to Required

jrabe3 · July 31, 2025, 8:54pm

Interesting question. In IriusRisk, you can only set Threats to Not Applicable. If you want to mitigate that threat, you would need to set the associated countermeasure attached to that threat to “implemented” or if you wanted to demonstrate planned mitigation on that threat you could set it to “required”.

In any event where you have conflicting rules, the rule that runs last will win and will be the expressed rule in your threat model.

Topic		Replies	Views
Understanding "Add Threat" Screen – Project vs. Component Threats, Use Case & Integration with Risk Library Techniques & Tooling iriusrisk	4	53	July 14, 2025
Threat Modeling of products that are based on internal "platforms" Techniques & Tooling	0	16	October 28, 2022
Researching Threat Modeling Techniques & Tooling	3	42	August 22, 2024
Threat model of a Mobile app Techniques & Tooling	5	93	November 14, 2025
Threat modeling and risk management General	24	423	September 4, 2025

Conflicting rules in Rules Engine | How to approach if there's a use-case

Related topics