|
| 1 | +# Playbook Guide |
| 2 | + |
| 3 | +## Playbook linting rules |
| 4 | + |
| 5 | +- WARN: Title should be shorter than 35 characters |
| 6 | +- WARN: Summary should be shorter than 105 characters |
| 7 | +- MUST: Playbook should have a realistic time estimate for user execution when everything goes as planned |
| 8 | + on average. (Time to fix findings is not included in the estimate) |
| 9 | +- MUST: Playbook audience should be personal, if it is designed for individual use (e.g. instead of a company) |
| 10 | +- MUST: Playbook audience should be business if it is designed for organization's use |
| 11 | +- MUST: Playbook serviceTier should be free if it can be executed with a free badrap.io account |
| 12 | +- MUST: Playbook serviceTier should be automation if automation tier is needed and enough to execute. |
| 13 | +- MUST: Playbook should be tagged as full service if full service tier is needed for the execution |
| 14 | +- MUST: Playbooks should have an author. |
| 15 | +- MUST: Playbooks should have an introduction which describes the (business or personal) risk the playbook is addressing. |
| 16 | + No need to sell, just help to align. |
| 17 | +- MUST: Playbooks should have an introduction which briefly describes how the playbook addresses the problem. |
| 18 | +- MUST: The introduction title should be "Introduction" |
| 19 | +- MUST: Playbook should have Playbook.CompletionStep React component at the end of Playbook.Steps |
| 20 | +- MUST: Playbook steps should clearly describe activities in that step |
| 21 | +- MUST: Playbook step title should focus on the task. It should not focus on badrap.io -specific step |
| 22 | +- MUST: Steps must be clearly scoped. There should not be two steps which address the same topic |
| 23 | +- MUST: Account creation suggestions for unauthenticated users should describe why from the playbook perspective |
| 24 | +- MUST: Step title should focus on describing the task user will execute |
| 25 | +- MUST: Playbook should address how to fix potential issues |
| 26 | +- MUST: Playbook should not have typos and grammatical errors |
| 27 | +- WARN: Playbook step focuses too much on describing badrap-specific execution instead of giving badrap-agnostic |
| 28 | + advice on how to accomplish a task (Badrap perks and benefits can be mentioned, as long as the step starting point is general advice) |
| 29 | +- WARN: When the playbook step discusses talking to experts or needing advice, it should have "Book a meeting" link similar to other playbooks |
| 30 | +- MUST: Book a meeting explanation should describe a reason why the user would want to book the meeting |
| 31 | +- MUST: Book a meeting explanation must be relevant to the specific step where it appears, not generic or referencing other steps' activities |
| 32 | +- WARN: Book a meeting explanation should be at most 75 characters |
| 33 | +- MUST: Explanation should not repeat "book a meeting" if it is already mentioned in the button |
| 34 | +- WARN: the playbook structure should not deviate much from other playbooks. Consider both content and html/css |
| 35 | +- WARN: Avoid excessive use of images. Only introduction section should have an image. |
| 36 | +- WARN: Avoid suggesting "also do this" activities that are separate from the playbook's core objective. |
| 37 | + Each playbook step must directly contribute to achieving the playbook's core objective. Steps that feel like |
| 38 | + "nice to have" or "while you're at it" activities should be reconsidered. Training or educational steps must |
| 39 | + be scoped to the current task, not as general improvement opportunities. Service promotion should not drive step |
| 40 | + inclusion - steps must serve the task at hand |
| 41 | +- MUST: If there is an app which automates the step, or part of the step, the app should be listed in that step. |
| 42 | +- MUST: Use consistent terminology. For example if you talk about data breaches, don't switch to data leaks |
| 43 | + all of a sudden. |
| 44 | + |
| 45 | +## badrap.io language guide |
| 46 | + |
| 47 | +- Use active and casual tone |
| 48 | +- Be positive |
| 49 | +- Avoid marketing hype |
| 50 | +- Avoid corporate jargon |
| 51 | +- Use first person singular when it is obvious that a person is the actor: |
| 52 | + - Good: "I thought I'd inform you about..." |
| 53 | + - Bad: "We're informing you about..." |
| 54 | +- Avoid using faceless organization as an actor. |
| 55 | + - Good: "We in Badrap believe that cyber security should be easy." |
| 56 | + - Bad: "Badrap believes that cyber security should be easy." |
| 57 | +- You can use acronyms also when you are pointing to a specific technical object, such as a service or a protocol |
| 58 | +- Avoid also other cybersecurity jargon in general, not just acronyms. |
| 59 | +- Avoid military and war terminology when the topic is not related to military and war. Examples: |
| 60 | + - Instead of "Weaponization" use wording, such as "creating a way to exploit a vulnerability" |
| 61 | + - Instead of "Cyber Kill Chain" use wording, such as "steps that criminals take to break into a computer system" |
| 62 | +- Playbooks are designed to make cyber security easy. Reflect that with the choice of words. Examples: |
| 63 | + - Bad: "share details with expert", better: "share the details you have easily available" |
| 64 | + - Bad: "get a comprehensive report with all the details", better: "get a concise report with the |
| 65 | + necessary details to fix the issues". |
| 66 | +- Avoid long sentences. Sentences over 130 characters need to be very clear otherwise. Never go beyond 160 characters. |
| 67 | +- Use badrap.io always instead of Badrap, unless the text needs to refer to the actual legal entity (Badrap Oy). |
| 68 | + |
| 69 | +## Playbook design principles |
| 70 | + |
| 71 | +### What they are |
| 72 | + |
| 73 | +Playbooks: |
| 74 | + |
| 75 | +- provide a step-by-step guide to help readers to complete cybersecurity tasks and goals |
| 76 | +- help customers to achieve clearly defined bite-sized cyber security goals that can be |
| 77 | + achieved in a reasonable time |
| 78 | +- enable cyber security self-service |
| 79 | +- make tasks easier over time as many of them build on top of the common groundwork tasks |
| 80 | +- are something people do periodically, or eventually |
| 81 | +- are perfect for someone to explain to their manager (or parents) what should be |
| 82 | + done to improve cyber security |
| 83 | +- are a source of delight: "you've now completed this playbook", |
| 84 | + "you have all these cyber security processes active as you have |
| 85 | + completed these playbooks". |
| 86 | + |
| 87 | +### Why people like to execute playbooks on badrap.io platform |
| 88 | + |
| 89 | +Playbooks on badrap.io make accomplishing the customer's goals easier because they: |
| 90 | + |
| 91 | +- offer automation for the steps that can be automated |
| 92 | +- provide easy ways to connect different pieces of automations for accomplishing a specific task |
| 93 | +- provide easy ways to get help if customers get stuck on the task at hand |
| 94 | +- give an easy access to a vast network of experts of different topics |
| 95 | +- establish and support a repeatable process required by information security management systems, |
| 96 | + cyber security standards and regulation |
| 97 | +- allow people to report upwards and to remind themselves about all the cyber security achievements |
| 98 | + and progress after they have engaged the playbook. |
| 99 | +- executing tasks get even easier over time: |
| 100 | + - when steps are automated, many annual tasks turn into quick annual reviews |
| 101 | + - the groundwork steps are often shared between different playbooks. Completing a |
| 102 | + playbook can mean some of the steps in other playbooks are already done. |
| 103 | + E.g. "Now that you completed playbook X, five out of seven steps of playbook Y are already done |
| 104 | + |
| 105 | +## More philosophical points of playbooks: |
| 106 | + |
| 107 | +- They can also be something we or our partners mostly do as a service |
| 108 | +- They can be something somebody else mostly does as a service |
| 109 | + |
| 110 | +### Conversion opportunities |
| 111 | + |
| 112 | +- If certain apps make sense for certain tasks then make adding them easy. For example, if certain asset types are relevant for the tasks then make claiming them easy with apps |
| 113 | +- If some task requires manual work, offer an opportunity to outsource it (e.g. simply link to booking calendar for an expert service provider) |
| 114 | +- If app or service requires paid subscription, still show their availability in context of the task at hand but offer the subscription to unlock them |
| 115 | + |
| 116 | +## Instructions for AI reviewers |
| 117 | + |
| 118 | +Categorize the checks to the following categories: |
| 119 | + |
| 120 | +- Linting rules check: |
| 121 | + - Only evaluate compliance with the explicit MUST and WARN requirements listed in this guide |
| 122 | + - List the status for all rules under this section |
| 123 | +- Language checks: |
| 124 | + - List issues that violate language guide section |
| 125 | + - List grammar & typo fixes |
| 126 | +- Design principle check: |
| 127 | + - Check issues that might violate playbook design principles |
| 128 | + |
| 129 | +Also follow these rules: |
| 130 | + |
| 131 | +- Follow the category structure above when outputting results. Don't invent new subcategories. You may, however, include a summary of the findings at the end. |
| 132 | +- When looking at the source code, understand that some of the playbook metadata can be included from other files. |
| 133 | +- Be precise when listing violations. Make sure you refer to the exact part of the guide. |
| 134 | +- Don't confuse the sections. When the playbook violates linting rules, list the finding there and not under a wrong section, for example under design principle check in this case. |
| 135 | +- Warn if the same requirement is covered by several sections in this guide. In that case you can list the violation under both matched categories. |
| 136 | + |
| 137 | +Remember these when checking language issues: |
| 138 | + |
| 139 | +- Do not report non-issues in the reveiw, just issues. |
| 140 | +- When checking sentence lenght, remember that a period, exclamation mark and questionmark signifies the end of the sentence. |
| 141 | +- When flagging a long sentence, display the original version and suggest new wording. |
| 142 | +- Spot misuse of the apostrophe. Flag if the text says for example "users" when the context looks like it should say "user's", e.g. the apostrophe is missing or in the wrong place. |
| 143 | +- Check for incorrect terminal punctuation marks at the end of sentences (periods, question marks, exclamation points) |
| 144 | + and flag any that don't match the sentence's intended meaning or grammatical structure. |
| 145 | +- When reviewing lists, ensure all items are punctuated consistently, whether with commas, semicolons, or no punctuation at all. |
| 146 | +- When looking at the source code, understand that ' equals to apostrophe |
| 147 | +- Find space-will-be-missing issues when reviewing .tsx files. Carefully check every line that ends with a closing HTML tag (like `</em>`, `</strong>`, |
| 148 | + `</a>`, etc.) - if text continues on the immediately following line without any explicit space character or JSX space expression `{" "}`, this will cause missing spaces in the rendered output. See the examples below. |
| 149 | + |
| 150 | +Space-will-be-missing issue examples |
| 151 | + |
| 152 | + <p> |
| 153 | + If you're an <em>automation</em> or <em>full service</em> |
| 154 | + subscriber, you have access... |
| 155 | + </p> |
0 commit comments