Exploring F.A.I.R. – Taxonomy – Threat Event Frequency

by kriggins on July 30, 2009

in Educational, fair, Risk Management

Well, there I go again, I keep saying I am going to get back to it and then leave you hanging. No real excuse this time other than being mondo busy.

As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

Anyway, last time we started talking about the taxonomy and the definition of risk from FAIR's perspective. As mentioned, we are going to leave those alone for a bit. We are going to build the taxonomy from the ground up. So, without further ado, here is where we are starting.

Threat Event Frequency

We start with the first component of Loss Frequency which is threat event frequency (TEF.) From the introduction, threat event frequency is:

The probable frequency, within a given timeframe, that a threat agent will act against an asset.

In other words, how many times within some amount of time will the bad guy try to do something evil to our treasured asset. This is important to know in determining how often we might actually suffer a loss.

So, to figure out the how many in how much part of the equation, we need to look at a couple things, contact and action. However, we are not talking about binary definitions here such as 'was there contact or not'.

First let's talk contact. From the introduction, contact is:

The probable frequency, within a given timeframe, that a threat agent will come into contact with an asset.

There are three things we want to consider. We are interested in whether the bad guy has regular or random contact with our treasure. Is contact the result of just random chance or is there some regularity to the contact? We are also really interested in whether the contact is intentional or not. Is the bad guy looking specifically for the types of treasure you have or are we target of opportunity.

Now action. From the introduction, action is:

The probability that a threat agent will act against an asset once contact occurs.

Again, we want to look at three things, asset value, vulnerability, and risk. Is it worth it to the bad guy to try something, i.e. is the value of the asset high enough. How vulnerable does the bad guy perceive the treasure to be. Our treasure is much less vulnerable sitting in a bank vault than it is sitting unwatched on a table in a crowded room. Finally, what is the risk to the bad guy. How likely is he to get caught if he tries to make contact.

All these factors must be taken into consideration when we we are thinking about threat event frequency.

Next we will explore the other half of loss frequency, vulnerability. I'll tell you right now that it is not what you think it is, unless, of course, you are already familiar with the FAIR Taxonomy. 🙂

As usual, drop me a note or leave me a comment with your thoughts.

-Kevin

{ 3 comments… read them below or add one }

Patrick Florer July 31, 2009 at 10:24 am

Hello, Kevin –

I am writing to take a bit of issue with your use of the word “vulnerability” to describe one of the factors in your definition of “Action”.

It’s not that I don’t agree that attackers consider vulnerabilities, as typically understood (weaknesses and defects), as part of their decision matrix.

Rather, it’s because in the FAIR methodology, vulnerability has another, very specific definition: the probability that an asset will be unable to resist the actions of a threat agent.

That’s to say that if the threat capability is greater than the control resistance strength(s), then you have some degree of vulnerability; if not, then you are not vulnerable, to that threat, at least.

In my view, this specific definition of vulnerability is one of the most useful, powerful, and pragmatic concepts that FAIR brings to the risk assessment process.

The term I use in my work with FAIR is “Level of Effort” (I am pretty sure that this comes from Jack.)

Using “Level of Effort” captures something about the threat agent’s assessment of vulnerability, but puts the focus on the threat agent rather than on the asset, which is where I think it belongs when working this part of the decision tree.

My two cents worth –

Patrick

Reply

kriggins July 31, 2009 at 11:31 am

@Patrick,

First, thanks for the comment. Second, thanks for writing the next post for me 🙂

“Level of Effort” does make a certain amount of sense when talking about action and I know where it comes from now.

I used the terminology stated in the Introduction to FAIR, (http://fairwiki.riskmanagementinsight.com/?page_id=16). Based on your comment I went back to the Open Group Risk Taxonomy, which adopted the FAIR taxonomy, and sure enough, “level of effort” is used there instead of vulnerability. Jack must have updated it and the Introduction is now a bit out of date.

I will update the post.

Thanks for pointing this out.

-Kevin

Reply

Patrick Florer August 15, 2009 at 8:33 am

Sorry about that – didn’t mean to preempt anything.

And sorry to be so tardy to respond.

I hope that the next post will be forthcoming soon.

You are performing a valuable service by teaching the infosec world about FAIR.

Best –

Patrick

Reply

Leave a Comment

Previous post:

Next post: