Hackathon design

Hi @adamshostack + others,

I see your point and I like where this is heading. It’s a bit like asking “What makes a good threat model [in a learning scenario]?”

First thoughts on your criteria:

  • Originality: :+1:
  • Comprehensability: :+1:
  • Time to review: Is a bit like saying: Should be short and sweet. Rewards discarding all the low risk threats, while documenting that they were seen and discarded has value.
  • Unique threats found (not in any other analysis): Rewards fancy / crazy low-likelihood threats that are not really an issue
  • Fraction of content that’s “actionable”: Not sure if I understand. Can you explain? Also: Are “no action” findings actionable? :wink:

Criteria… How about

  • Relevance of threats
  • Irrelevant threats discarded or judged “no action” early on
  • Adequateness of mitigations (do mitigations really tame associated threats)
  • Feasibility of mitigations (the solution should take into account that not infinite effort can be made to tame all kind of threats and make sensible decisions) (would require some input on what is feasible)

What do you think?