|
| 1 | +# Playbook Guide |
| 2 | + |
| 3 | +## Playbook linting rules |
| 4 | + |
| 5 | +- WARN: Title should be shorter than 35 characters |
| 6 | +- WARN: Summary should be shorter than 105 characters |
| 7 | +- MUST: Playbook should have a realistic time estimate for user execution when everything goes as planned |
| 8 | + on average. (Time to fix findings is not included in the estimate) |
| 9 | +- MUST: Playbook audience should be personal, if it is designed for individual use (e.g. instead of a company) |
| 10 | +- MUST: Playbook audience should be business if it is designed for organization's use |
| 11 | +- MUST: Playbook serviceTier should be free if it can be executed with a free badrap.io account |
| 12 | +- MUST: Playbook serviceTier should be automation if automation tier is needed and enough to execute. |
| 13 | +- MUST: Playbook should be tagged as full service if full service tier is needed for the execution |
| 14 | +- MUST: Playbooks should have an author. |
| 15 | +- MUST: Playbooks should have an introduction which describes the (business or personal) risk the playbook is addressing. |
| 16 | + No need to sell, just help to align. |
| 17 | +- MUST: Playbooks should have an introduction which briefly describes how the playbook addresses the problem. |
| 18 | +- MUST: The introduction title should be "Introduction" |
| 19 | +- MUST: Playbook should have Playbook.CompletionStep React component at the end of Playbook.Steps |
| 20 | +- MUST: Playbook steps should clearly describe activities in that step |
| 21 | +- MUST: Playbook step title should focus on the task. It should not focus on badrap.io -specific step |
| 22 | +- MUST: Steps must be clearly scoped. There should not be two steps which address the same topic |
| 23 | +- MUST: Account creation suggestions for unauthenticated users should describe why from the playbook perspective |
| 24 | +- MUST: Step title should focus on describing the task user will execute |
| 25 | +- MUST: Playbook should address how to fix potential issues |
| 26 | +- MUST: Playbook should not have typos and grammatical errors |
| 27 | +- WARN: Playbook step focuses too much on describing badrap-specific execution instead of giving badrap-agnostic |
| 28 | + advice on how to accomplish a task (Badrap perks and benefits can be mentioned, as long as the step starting point is general advice) |
| 29 | +- WARN: When the playbook step discusses talking to experts or needing advice, it should have "Book a meeting" link similar to other playbooks |
| 30 | +- MUST: Book a meeting explanation should describe a reason why the user would want to book the meeting |
| 31 | +- MUST: Book a meeting explanation must be relevant to the specific step where it appears, not generic or referencing other steps' activities |
| 32 | +- WARN: Book a meeting explanation should be at most 70 characters |
| 33 | +- MUST: Explanation should not repeat "book a meeting" if it is already mentioned in the button |
| 34 | +- WARN: the playbook structure should not deviate much from other playbooks. Consider both content and html/css |
| 35 | +- WARN: Avoid excessive use of images. Only introduction section should have an image. |
| 36 | +- WARN: Avoid suggesting "also do this" activities that are separate from the playbook's core objective. |
| 37 | + Each playbook step must directly contribute to achieving the playbook's core objective. Steps that feel like |
| 38 | + "nice to have" or "while you're at it" activities should be reconsidered. Training or educational steps must |
| 39 | + be scoped to the current task, not as general improvement opportunities. Service promotion should not drive step |
| 40 | + inclusion - steps must serve the task at hand |
| 41 | +- MUST: If there is an app which automates the step, or part of the step, the app should be listed in that step. |
| 42 | +- MUST: Use consistent terminology. For example if you talk about data breaches, don't switch to data leaks |
| 43 | + all of a sudden. |
| 44 | + |
| 45 | +## badrap.io language guide |
| 46 | + |
| 47 | +- Use active and casual tone |
| 48 | +- Be positive |
| 49 | +- Avoid marketing hype |
| 50 | +- Avoid corporate jargon |
| 51 | +- Use first person singular when it is obvious that a person is the actor: |
| 52 | + - Good: "I thought I'd inform you about..." |
| 53 | + - Bad: "We're informing you about..." |
| 54 | +- Avoid using faceless organization as an actor. |
| 55 | + - Good: "We in Badrap believe that cyber security should be easy." |
| 56 | + - Bad: "Badrap believes that cyber security should be easy." |
| 57 | +- You can use acronyms also when you are pointing to a specific technical object, such as a service or a protocol |
| 58 | +- Avoid also other cybersecurity jargon in general, not just acronyms. Avoid for example "credentials" |
| 59 | +- Avoid military and war terminology when the topic is not related to military and war. Examples: |
| 60 | + - Instead of "Weaponization" use wording, such as "creating a way to exploit a vulnerability" |
| 61 | + - Instead of "Cyber Kill Chain" use wording, such as "steps that criminals take to break into a computer system" |
| 62 | +- Playbooks are designed to make cyber security easy. Reflect that with the choice of words. Examples: |
| 63 | + - Bad: "share details with expert", better: "share the details you have easily available" |
| 64 | + - Bad: "get a comprehensive report with all the details", better: "get a concise report with the |
| 65 | + necessary details to fix the issues". |
| 66 | +- Avoid long sentences. Sentences over 130 characters need to be very clear otherwise. Never go beyond 160 characters. |
| 67 | + |
| 68 | +## Playbook design principles |
| 69 | + |
| 70 | +### What they are |
| 71 | + |
| 72 | +Playbooks: |
| 73 | + |
| 74 | +- provide a step-by-step guide to help readers to complete cybersecurity tasks and goals |
| 75 | +- help customers to achieve clearly defined bite-sized cyber security goals that can be |
| 76 | + achieved in a reasonable time |
| 77 | +- enable cyber security self-service |
| 78 | +- make tasks easier over time as many of them build on top of the common groundwork tasks |
| 79 | +- are something people do periodically, or eventually |
| 80 | +- are perfect for someone to explain to their manager (or parents) what should be |
| 81 | + done to improve cyber security |
| 82 | +- are a source of delight: "you've now completed this playbook", |
| 83 | + "you have all these cyber security processes active as you have |
| 84 | + completed these playbooks". |
| 85 | + |
| 86 | +### Why people like to execute playbooks on badrap.io platform |
| 87 | + |
| 88 | +Playbooks on badrap.io make accomplishing the customer's goals easier because they: |
| 89 | + |
| 90 | +- offer automation for the steps that can be automated |
| 91 | +- provide easy ways to connect different pieces of automations for accomplishing a specific task |
| 92 | +- provide easy ways to get help if customers get stuck on the task at hand |
| 93 | +- give an easy access to a vast network of experts of different topics |
| 94 | +- establish and support a repeatable process required by information security management systems, |
| 95 | + cyber security standards and regulation |
| 96 | +- allow people to report upwards and to remind themselves about all the cyber security achievements |
| 97 | + and progress after they have engaged the playbook. |
| 98 | +- executing tasks get even easier over time: |
| 99 | + - when steps are automated, many annual tasks turn into quick annual reviews |
| 100 | + - the groundwork steps are often shared between different playbooks. Completing a |
| 101 | + playbook can mean some of the steps in other playbooks are already done. |
| 102 | + E.g. "Now that you completed playbook X, five out of seven steps of playbook Y are already done |
| 103 | + |
| 104 | +## More philosophical points of playbooks: |
| 105 | + |
| 106 | +- They can also be something we or our partners mostly do as a service |
| 107 | +- They can be something somebody else mostly does as a service |
| 108 | + |
| 109 | +### Conversion opportunities |
| 110 | + |
| 111 | +- If certain apps make sense for certain tasks then make adding them easy. For example, if certain asset types are relevant for the tasks then make claiming them easy with apps |
| 112 | +- If some task requires manual work, offer an opportunity to outsource it (e.g. simply link to booking calendar for an expert service provider) |
| 113 | +- If app or service requires paid subscription, still show their availability in context of the task at hand but offer the subscription to unlock them |
| 114 | + |
| 115 | +## Instructions for AI reviewers |
| 116 | + |
| 117 | +Categorize the checks to the following categories: |
| 118 | + |
| 119 | +- Linting rules check: |
| 120 | + - Only evaluate compliance with the explicit MUST and WARN requirements listed in this guide |
| 121 | + - List the status for all rules under this section |
| 122 | +- Language checks: |
| 123 | + - List issues that violate language guide section |
| 124 | + - List grammar & typo fixes |
| 125 | +- Design principle check: |
| 126 | + - Check issues that might violate playbook design principles |
| 127 | + |
| 128 | +Also follow these rules: |
| 129 | + |
| 130 | +- Follow the category structure above when outputting results. Don't invent new subcategories. You may, however, include a summary of the findings at the end |
| 131 | +- When looking at the source code, understand that some of the playbook metadata can be included from other files |
| 132 | +- Be precise when listing violations. Make sure you refer to the exact part of the guide |
| 133 | +- Don't confuse the sections. When the playbook violates linting rules, list the finding there and not under a wrong section, for example under design principle check in this case. |
| 134 | +- Warn if the same requirement is covered by several sections in this guide. In that case you can list the violation under both matched categories. |
| 135 | +- In language check, remember that a period, exclamation mark and questionmark signifies the end of the sentence. |
0 commit comments