git.stella-ops.org/docs/risk/formulas.md

Risk Formulas (draft outline)

Draft scaffold; fill once 66-003/66-004 inputs (engine rollout notes + factor contract) are available. Keep math examples deterministic with fixed fixtures.

Purpose

• Describe how normalized factors combine into a 0–100 risk score with severity bands.
• Capture gating, weighting, normalization, and override rules.

Scope & Audience

• Audience: risk engineers, policy authors, auditors.
• In scope: weighting strategies, aggregation functions, severity thresholds, gating rules, tie-breakers.
• Out of scope: full API payloads (see api.md), factor definitions (see factors.md).

Formula Building Blocks (to fill)

• Weighted sum / capped contribution
• Max/min guards per factor family
• Threshold gates (e.g., block if exploitability + reachability high)
• Decay/time weighting
• Tenant/asset overrides and imposed rules

Severity Mapping (outline)

• Proposed bands (example placeholder):
  • Critical: 90–100
  • High: 70–89
  • Medium: 40–69
  • Low: 1–39
  • Info: 0
• Final bands pending governance approval; update once PLLG0104 confirms.

Determinism

• Stable ordering of factors before aggregation.
• Use fixed precision (e.g., 4 decimals) before severity mapping.
• Hash fixtures and record SHA256 for every example payload.

Interim notes: mirror legacy rule — simulation and production must share the exact evaluation codepath; no per-environment divergences. Severity buckets must be deterministic and governed by Authority scopes.

Examples (placeholders)

• TBD sample JSON: input factors + output score + contributions table.
• TBD CLI/Console screenshots once telemetry assets provided.

Open Items

• Engine rollout notes for gating/weighting defaults
• Severity band approval
• Sample payloads and UI traces

References

• docs/risk/overview.md
• docs/risk/profiles.md
• docs/risk/factors.md
• docs/risk/api.md