nogamenolife12/Merge

# Merge - Cyber Risk Quantification Platform **Merge** is a full-stack Cyber Risk Quantification (CRQ) platform that translates an organization's technical security posture into board-level financial risk language. By combining the **FAIR methodology** with **IBM Cost of Data Breach 2025 benchmarks**, the platform calculates quantitative cyber exposure metrics (such as Annual Loss Exposure) and suggests a prioritized remediation roadmap. ## 1. System Architecture The application is structured as a decoupled full-stack architecture comprising a Node.js/Express backend and a React (Vite) frontend. graph TD subgraph Frontend ["React Dev Server - Port 5174"] A["Onboarding Form"] -->|"1. Submit Posture Data"| B["Animated Processing Screen"] B -->|"2. HTTP POST /api/analyze"| C["Express REST API"] D["Interactive Dashboard"] <-->|"5. Dynamic USD/INR Switch"| E["State Manager"] C -->|"4. Return Calculated Metrics"| D end subgraph Backend ["Express Server - Port 5001"] C --> F["FAIR Risk Engine"] F --> G["Dynamic Summary Generator"] F --> H["NVD API Client"] H -->|"3a. Call NVD REST API (3s timeout)"| I["NIST NVD Database"] H -->|"3b. Fail / Timeout Fallback"| J["Local High-Fidelity CVE DB"] end ### Directory Structure * **[backend/](file:///Users/vanshajrana/Merge/backend)**: Express server and the quantification logic engine. * **[frontend/](file:///Users/vanshajrana/Merge/frontend)**: Vite+React development codebase, styled using Vanilla CSS and Tailwind CSS v3. ## 2. Technical Specifications & Math Engine The core math engine operates on the **Factor Analysis of Information Risk (FAIR)** standard. It estimates financial risk as **Annual Loss Exposure (ALE)**, defined as: $$\text{ALE} = \text{Loss Event Frequency (LEF)} \times \text{Loss Magnitude (LM)}$$ ### A. Loss Event Frequency (LEF) LEF is the probability of a successful breach occurring within a one-year window: $$\text{LEF} = \text{Threat Event Frequency (TEF)} \times \text{Vulnerability (Vuln)}$$ 1. **Threat Event Frequency (TEF)**: Baseline attempts per year by threat actors targeting specific industries. * **Finance, Healthcare, Technology**: `0.9` (highly targeted) * **Retail, E-commerce, Government**: `0.7` (moderately targeted) 2. **Vulnerability (Vuln)**: The probability that an attack succeeds, which decreases as security controls are added: * **Base Vulnerability**: `0.8` (no security controls active) * **Control Mitigations** (each active control reduces Vuln): * *Firewall*: `-0.15` * *WAF*: `-0.15` * *EDR*: `-0.15` * *SIEM*: `-0.10` * *DLP*: `-0.10` * *Vulnerability Scanner*: `-0.10` * *SOAR*: `-0.05` * **Vulnerability Floor**: `0.10` (no system is 100% secure) ### B. Loss Magnitude (LM) LM represents the total financial cost of a successful security incident. We initialize this using **IBM Cost of Data Breach 2025 industry averages**: | Industry Sector | Baseline Cost (USD) | | :--- | :--- | | **Healthcare** | $7,420,000 | | **Finance** | $5,560,000 | | **Technology** | $4,970,000 | | **E-commerce** | $3,900,000 | | **Retail** | $2,960,000 | | **Government** | $2,830,000 | #### Cost Modifiers: * **Organization Size Multipliers**: * *Small (<500 employees)*: `0.2` * *Medium (500 - 5,000 employees)*: `1.0` * *Enterprise (5,000+ employees)*: `2.5` * **Post-Breach Category Splits & Control Discounts**: 1. *Estimated Breach Cost* (Detection, Response): `35%` of total base cost. 2. *Regulatory Fine Exposure*: `15%` of total base cost (reduced by `20%` if **DLP** is active). 3. *Downtime & Operational Loss*: `30%` of total base cost (reduced by `30%` if **SOAR** and `10%` if **EDR** are active). 4. *Reputational Damage*: `20%` of total base cost (reduced by `15%` if **SIEM** or **WAF** are active). $$\text{LM} = (\text{Breach Cost} + \text{Regulatory Fines} + \text{Downtime} + \text{Reputational Damage}) \times \text{Size Multiplier}$$ ## 3. Engineering Implementations ### A. The Backend Engine (`/backend`) * **[server.js](file:///Users/vanshajrana/Merge/backend/server.js)**: Runs an Express server exposing a POST `/api/analyze` and a health-check GET `/api/health` endpoint. * **[analyzer.js](file:///Users/vanshajrana/Merge/backend/analyzer.js)**: * Executes the math calculations outlined above. * Queries the live **NIST NVD API v2** using a 90-day time-window and industry-specific keywords. * Implements a strict **3-second hard timeout** for the NVD API request. If the NVD server hangs, rate-limits, or fails, the engine seamlessly returns a set of high-fidelity, realistic fallback CVEs. * Generates a fully dynamic **Board-Level Executive Summary** that describes the organization's current risk tier, lists control gaps, and highlights the security investment with the highest ROI. ### B. The Frontend Experience (`/frontend`) * **[App.jsx](file:///Users/vanshajrana/Merge/frontend/src/App.jsx)**: Manages states and templates across three screens: 1. **Screen 1 — Onboarding**: A corporate light-themed form requiring company name, industry, size, and active security controls checklist. Includes a toggle for USD/INR. 2. **Screen 2 — Processing**: A loading sequence showing simulated stages ("Fetching live vulnerability data from NVD...", etc.) and a smooth progress bar. 3. **Screen 3 — Dashboard**: A professional CISO dashboard that features: * **Risk Exposure Header**: Large headline annual loss figures with a risk tier badge. * **Financial Breakdown Chart**: An interactive Recharts Donut chart visualizing category splits. * **Security Gap Analysis**: Real-time status checks showing mitigated threats vs. highlighted critical gaps. * **NVD Threat Intelligence**: Displays top 5 industry-relevant CVEs with CVSS scores and descriptions. * **Prioritized Remediation Roadmap**: Recommendations prioritized dynamically by ROI (calculating percentage of annual loss exposure reduced relative to tool deployment effort). ## 4. Key Configurations & Settings ## 5. Summary of Recent Fixes (May 21, 2026) 1. **White Screen Crash**: Resolved a React runtime crash. The dashboard was trying to evaluate `BASE_BREACH_COSTS[analysisData.industry]` to display industry benchmarks, but `BASE_BREACH_COSTS` was undefined on the frontend. The constant has been added to the top of `App.jsx`. 2. **SSL Reference Update**: Updated the header standard link from `https://openfair.org/` (which was triggering "connection not private" browser alerts due to SSL configuration issues) to the official secure certification page: **`https://www.opengroup.org/certifications/openfair`**. ## 6. How to Run and Test Locally ### Prerequisite: Start the Servers Verify that both servers are running. If they are not running on your machine, you can spin them up from their respective directories: #### 1. Backend Server cd backend npm run dev *Runs on port `5001`.* #### 2. Frontend Server cd frontend npm run dev *Runs on port `5174` (or fallback `5173` if occupied).*

标签：自定义脚本