Well, there I go again, I keep saying I am going to get back to it and then leave you hanging. No real excuse this time other than being mondo busy.
As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.
Anyway, last time we started talking about the taxonomy and the definition of risk from FAIR's perspective. As mentioned, we are going to leave those alone for a bit. We are going to build the taxonomy from the ground up. So, without further ado, here is where we are starting.
We start with the first component of Loss Frequency which is threat event frequency (TEF.) From the introduction, threat event frequency is:
The probable frequency, within a given timeframe, that a threat agent will act against an asset.
In other words, how many times within some amount of time will the bad guy try to do something evil to our treasured asset. This is important to know in determining how often we might actually suffer a loss.
So, to figure out the how many in how much part of the equation, we need to look at a couple things, contact and action. However, we are not talking about binary definitions here such as 'was there contact or not'.
First let's talk contact. From the introduction, contact is:
The probable frequency, within a given timeframe, that a threat agent will come into contact with an asset.
There are three things we want to consider. We are interested in whether the bad guy has regular or random contact with our treasure. Is contact the result of just random chance or is there some regularity to the contact? We are also really interested in whether the contact is intentional or not. Is the bad guy looking specifically for the types of treasure you have or are we target of opportunity.
Now action. From the introduction, action is:
The probability that a threat agent will act against an asset once contact occurs.
Again, we want to look at three things, asset value, vulnerability, and risk. Is it worth it to the bad guy to try something, i.e. is the value of the asset high enough. How vulnerable does the bad guy perceive the treasure to be. Our treasure is much less vulnerable sitting in a bank vault than it is sitting unwatched on a table in a crowded room. Finally, what is the risk to the bad guy. How likely is he to get caught if he tries to make contact.
All these factors must be taken into consideration when we we are thinking about threat event frequency.
Next we will explore the other half of loss frequency, vulnerability. I'll tell you right now that it is not what you think it is, unless, of course, you are already familiar with the FAIR Taxonomy. 
As usual, drop me a note or leave me a comment with your thoughts.
-Kevin
{ 3 comments }