Odoo Community Association

Feared Events

Beta License: AGPL-3 OCA/management-system Translate me on Weblate Try me on Runboat

This module allows you to manage feared events (security incidents) of your Information Security Management System (ISMS) and assess their risk using a configurable risk matrix.

Key concepts:

Table of contents

Configuration

Risk Matrix Levels

Define which cells in the risk matrix are green, orange, or red.

Go to Management System > Configuration > Security > Risk Matrix Levels and create one record per zone. Each level covers a rectangular region of the matrix defined by a probability range and a severity range. Ranges must not overlap.

A default 4 × 4 matrix configuration is installed with the module. Adjust it to match your organization’s risk appetite.

Assets and Threat Sources

Before creating vectors and events, populate the reference data:

  • Management System > Manuals > Security > Assets > Primary Assets — the information assets or business processes you need to protect.
  • Management System > Manuals > Security > Assets > Supporting Assets — the servers, software, and infrastructure that host primary assets. Link each supporting asset to the primary assets it carries.
  • Management System > Manuals > Security > Threat Sources — the actors or causes that could exploit a vector (e.g. external attacker, malicious insider).

Usage

Typical workflow

1. Create attack vectors

Go to Management System > Manuals > Security > Vectors and create one record per attack vector. For each vector:

  • Set the Original probability and severity (risk without any control).
  • Set the Current probability and severity (risk with existing controls).
  • Set the Residual probability and severity (risk after planned remediation).
  • Optionally link the supporting assets that are exposed by this vector.

2. Create security controls

Go to Management System > Manuals > Security > Controls and create the countermeasures available in your organization.

3. Create feared events

Go to Management System > Manuals > Security > Feared Events and create one record per feared event. For each event:

  • Tick the Confidentiality, Integrity, and/or Availability flags that the event threatens.
  • In the Scenarios tab, add one line per attack scenario: select the vector and threat source, and describe how the attack could unfold. The event’s risk ratings (probability and severity) are automatically computed as the maximum across all linked vectors.
  • In the Controls tab, add the controls that mitigate this event. For each control line, indicate whether it acts as Prevention, Protection, and/or Recovery, and optionally link the specific supporting asset it protects.

Use the search bar to filter events by Confidentiality, Integrity, or Availability, or group them by system or severity.

4. Generate the risk matrix

Go to Management System > Manuals > Security > Risk Matrix, select the risk type (Original, Current, or Residual), and click Done to generate the PDF report. Each cell shows the feared events at that probability/severity intersection, color-coded by the configured risk level.

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us to smash it by providing a detailed and welcomed feedback.

Do not contact contributors directly about support or help with technical issues.

Credits

Authors

  • Savoir-faire Linux

Maintainers

This module is maintained by the OCA.

Odoo Community Association

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

This module is part of the OCA/management-system project on GitHub.

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.