The FAIR taxonomy uses the term “vulnerability” in a special way that differs significantly from how it is used by CERT and many network and software scanners.
The accompanying discussion in the standard emphasizes that RS is to be measured on the same scale as TCap, which is helpful to the extent that one understands force for the TCap. To help fix ideas for all three concepts, the standard offers the example of a weight (the Threat Agent) on a rope (which is a control that protects an asset – maybe your toes beneath the weight). The force is gravity, the measure of force is pounds-force or Newtons, and the Resistance Strength is the tensile strength of the rope, and so it too is measured in pounds or Newtons. The Vulnerability is then the probability that a specific weight, or population of possible weights, will exceed the tensile strength of the rope.
I have modeled this risk scenario to help us understand these three ideas better. I hope you will believe that FAIR is applicable much more broadly than only to information risk. In fact, it can be applied to any risk scenario whose losses can be quantified in a single number, commonly dollars.
You can read about this scenario in the Member Resources section of the FAIR Institute at this link.