GC-T009: Risk Scenario Entity #475
Description
GC-T009 | FUNCTIONAL | MUST | Wave 4 | DRAFT
Statement
The system shall support a first-class Risk Scenario entity representing a scoped statement of potential future loss tied to one or more affected operational assets, boundaries, processes, systems, objectives, or third parties within a defined time horizon. A risk scenario shall record at minimum threat source or actor, threat event or method, affected object, vulnerability, exposure, or resistance condition when applicable, effect or consequence description, supporting observations or evidence, and links to related topology context. Risk scenarios shall be linkable to threat models, vulnerabilities, controls, findings, evidence, audits, and risk register records.
Rationale
FAIR, NIST SP 800-30, and ISO-style risk methods all require risk to be scoped to a scenario rather than a vague label. Anchoring the scenario to operational assets, observations, and topology is the minimum structural fix needed to support multiple methodologies without semantic collapse.
Created from Ground Control requirement GC-T009