Decision trees

A decision tree is a map of the possible outcomes of a series of related choices. It has the shape of a tree, hence its name. Each branch represents a possible decision, occurrence or reaction.

A decision tree is the minimum number of yes/no questions that one has to ask, to assess the probability of making a correct decision, most of the time. As a method, it allows for a structured and systematic way to approach a complex problem in order to arrive at a logical conclusion.

A reader of the tree can see how and why one choice may lead to the next, with the use of the branches indicating mutually exclusive options. The maps can be used for example, to stimulate informal discussion, to map out an algorithm that predicts the best choice mathematically, and to create security policies. Decision analysis can also make forecasts of decision outcomes without precise numbers, as long as probability distributions describing the possible values for all variables can be estimated.

Decision trees can be seen as generative models of induction rules from empirical data. An optimal decision tree is then defined as a tree that accounts for most of the data, while minimizing the number of levels (or “questions”).

Possible questions

For an example tree supporting policy-making decisions, suppose the following questions:

Is there a compelling need for this guidance and, if yes, what type of guidance (policy, standard, guideline) needs to be created?

  1. What are the consequences/risks of not having documented guidance covering this security topic?
    • Is there is a legal requirement to have it documented?
    • Are there operational issues that require direction?
    • Is there new technology that requires organisation-wide guidance?
    • Will documenting (and implementing) this guidance mitigate risks?
  2. What are the consequences/risks of having documented guidance covering this security topic?
    • Can it be implemented?
    • Does it represent a strategy we want to plan for?
    • Does a policy already exist?
    • Does a new policy contradict existing policies or other laws and/or regulations?
  3. Will the documented guidance use “must” and “should” (is it to be mandatory)? Does it require technology? If it is mandatory, implementable, applicable across the organisation, and technology-independent, state it as a policy. If it is mandatory, implementable, and applicable, but specific to a particular technology, state it as a standard.
    • Is there a law requiring the organisation to follow this?
    • Is there a contractual obligation to do so?
    • Is there another reason to make it mandatory?
    • Is this guideline likely to change when new technology becomes available? What part of it is technology dependent, and what part is general policy?
  4. Can it be summarized in one page? More detailed documentation can be provided as standards, guidelines, or procedures.
  5. How often do policies and related standards, guidelines, or procedures need to be reviewed in order to stay current?
  6. Are exemptions or exceptions allowed?
  7. Is it organisation-wide?
  8. Is it IT specific? What other domains are involved and who should be included in its drafting and the decision-making process?

Possible tree

  • Last modified: 2019/09/07 22:32