They’re critical to defining just how the loss will take place. If you’re new to FAIR or need a refresher, take a look at the FAIR Model infographic – these are inputs for the left side. Get them confused and your analysis can easily run away from you.
It’s a far greater value to focus on the most probable scenarios your organization will encounter, which likely is much smaller and more manageable in number. Ask yourself: Are you realistically going to be a target of hostile foreign nations or hacker-activists?
Taking probability a step further, time-bounding the scenarios you consider (ex. Event B is likely to occur once every two years) can also assist you in focusing on the more relevant scenarios for analysis.
Why it matters:
One of the main goals of a risk management team is to prioritize the issues an organization should tackle. And risk teams also have limited resources in people and time – we need to focus our efforts on the risk scenarios that matter most.
The key difference is that threat events consider all actions by a threat actor, including ones which are unsuccessful or do not lead to an actual loss event. When attempting to determine whether to estimate at Threat Event Frequency (TEF) or Loss Event Frequency (LEF) estimate directly at LEF in an analysis, remember to ask yourself: “Did loss occur?”.
Why it matters:
Confusing a loss event with a threat event in an analysis will lead to inaccurate results. Remember, Loss Event Frequency is how often the organization actually suffers a loss and the damaging event materializes.
For example, it can sometimes be difficult to distinguish what is a threat event when looking at scans of an externally facing system. This type of activity is often times information gathering that could later be used to formulate an attack, which would then be considered a threat event, but the scan itself would not.
Why it matters:
Using contact frequency estimates for threat event frequency could severely inflate the results of your analysis. Take the time to clearly define and identify the various types of frequencies in the FAIR model -- contact, threat, and loss -- and what they represent for your risk scenarios.
Related:
Inherent Risk vs. Residual Risk Explained in 90 Seconds
Risk Appetite vs. Risk Tolerance: What's the Difference?
Vulnerability in Risk Analysis Explained in 2 Minutes