The FAIR taxonomy uses the term “vulnerability” in a special way that differs significantly from how it is used by CERT and many network and software scanners.
- “Vulnerability” in FAIR is “the probability that a threat event will become a loss event.”
- The usual meaning of “vulnerability” in information security is a flaw or sub-optimal configuration in software or hardware.
The taxonomy breaks Vulnerability into two component drivers: Threat Capability and Resistance Strength. (I’ll use initial capitals to make it clear where FAIR-defined words are meant. I’ll also use the standard abbreviations Vuln, TCap, and RS.) Note that since Vulnerability is a probability, it is a number between 0 and 1, or 0% and 100%.
- Threat Capability is defined as “the probable level of force that a threat agent is capable of applying against an asset,” leaving it to analyst to identify what kind of “force” is to be considered for the scenario at hand, and how to quantify it. “Probable level” is a hint that TCap is a probability distribution, though it could be a single number in a simple case.
- Resistance Strength is defined as “the strength of a control as compared to a baseline unit of force.”
The accompanying discussion in the standard emphasizes that RS is to be measured on the same scale as TCap, which is helpful to the extent that one understands force for the TCap. To help fix ideas for all three concepts, the standard offers the example of a weight (the Threat Agent) on a rope (which is a control that protects an asset – maybe your toes beneath the weight). The force is gravity, the measure of force is pounds-force or Newtons, and the Resistance Strength is the tensile strength of the rope, and so it too is measured in pounds or Newtons. The Vulnerability is then the probability that a specific weight, or population of possible weights, will exceed the tensile strength of the rope.
I have modeled this risk scenario to help us understand these three ideas better. I hope you will believe that FAIR is applicable much more broadly than only to information risk. In fact, it can be applied to any risk scenario whose losses can be quantified in a single number, commonly dollars.
You can read about this scenario in the Member Resources section of the FAIR Institute at this link.