Careful, risk analysts – it’s easy to miss the difference between these sound-alike pairs of terms when you scope a FAIR risk analysis:
- Probability vs. Possibility
- Loss Event vs. Threat Event
- Contact vs. Threat Event
They’re critical to defining just how the loss will take place. If you’re new to FAIR or need a refresher, take a look at the FAIR Model infographic – these are inputs for the left side. Get them confused and your analysis can easily run away from you.
Probability vs. Possibility
In the terms of quantitative risk analysis, possibilities are often described as anything bad that could go wrong. While there may be some value in thinking about the various threats, actions, events that could materialize -- there are an infinite number of possibilities!
It’s a far greater value to focus on the most probable scenarios your organization will encounter, which likely is much smaller and more manageable in number. Ask yourself: Are you realistically going to be a target of hostile foreign nations or hacker-activists?
Taking probability a step further, time-bounding the scenarios you consider (ex. Event B is likely to occur once every two years) can also assist you in focusing on the more relevant scenarios for analysis.
Why it matters:
One of the main goals of a risk management team is to prioritize the issues an organization should tackle. And risk teams also have limited resources in people and time – we need to focus our efforts on the risk scenarios that matter most.
Loss Event vs Threat Event
It may seem straightforward, but I often find these two terms get confused and are used interchangeably. Analysts are sometimes eager to estimate at the highest level of the FAIR model, which is Loss Event Frequency (LEF), but end up entering in values that really represent a different variable lower in the model.
The key difference is that threat events consider all actions by a threat actor, including ones which are unsuccessful or do not lead to an actual loss event. When attempting to determine whether to estimate at Threat Event Frequency (TEF) or Loss Event Frequency (LEF) estimate directly at LEF in an analysis, remember to ask yourself: “Did loss occur?”.
Why it matters:
Confusing a loss event with a threat event in an analysis will lead to inaccurate results. Remember, Loss Event Frequency is how often the organization actually suffers a loss and the damaging event materializes.
Contact vs Threat Event
Let’s discuss what else is often confused with threat event. Simply put, Contact Frequency covers when the attacker comes in contact with an asset. The key differentiator between Contact Frequency and Threat Event Frequency is action. If the threat actor only comes in contact with the asset, but did not take further action, a threat event did not occur.
For example, it can sometimes be difficult to distinguish what is a threat event when looking at scans of an externally facing system. This type of activity is often times information gathering that could later be used to formulate an attack, which would then be considered a threat event, but the scan itself would not.
Why it matters:
Using contact frequency estimates for threat event frequency could severely inflate the results of your analysis. Take the time to clearly define and identify the various types of frequencies in the FAIR model -- contact, threat, and loss -- and what they represent for your risk scenarios.