Keep in mind that a threat is a person, group of people, force of nature, etc. that can act against an asset in a way that results in loss and take a look at the list MIT published:
What the MIT Technology Review presented is a confusing list of outcomes and attack methods all grouped under the misused term “threats.”
Articles like this reinforce the need for risk management professionals, cyber security analysts and managers, and the cybersecurity press to align on common vocabulary in order to improve communication and enhance our collective effectiveness and credibility.
Toward that end, let’s revisit the definitions of the threat-related terms used in the FAIR model and FAIR-based analysis.
Threat event frequency refers to the number of times over a given timeframe (typically a year) that a threat will act against the asset you’re concerned about in a way that could result in loss. How many times will a hurricane threaten a processing facility, possibly taking it offline? How many times will nation-state hackers attempt to breach the confidentiality of your organization’s sensitive information? Note that the threat event is the attempt — once the threat has impacted the asset in a way that causes realized losses, a loss event has occurred.
Whether a loss event occurs depends on the asset’s vulnerability to the given threat event. Vulnerability, in FAIR terms, is the percentage of threat events of the type that are in-scope for your analysis that will result in loss.
Vulnerability is derived from threat capability and resistance strength. How skilled, well-resourced and knowledgeable are the attackers? How much skill, knowledge, and resourcing is required to overcome the controls defending the asset from threat events? These two variables are measured using percentiles along the threat capability continuum, a spectrum ranging from the most inept attackers to the most advanced. While analysts rarely need to estimate at this level of the model, it’s critical that you understand what Threat Capability and RS represent and how they work so you’re thinking with the right mindset when you estimate Vulnerability directly.
If we are all diligent in our use of these threat-related terms we can contribute to the eventual adoption of the FAIR lexicon, a critical step in the advancement of the risk management profession toward better communication and clearer thinking.
To learn more about the variables and vocabulary of the FAIR model, enroll in FAIR Analysis Fundamentals training today.
Related: