And sorry to be so tardy to respond.

I hope that the next post will be forthcoming soon.

You are performing a valuable service by teaching the infosec world about FAIR.

Best -

Patrick

First, thanks for the comment. Second, thanks for writing the next post for me

"Level of Effort" does make a certain amount of sense when talking about action and I know where it comes from now.

I used the terminology stated in the Introduction to FAIR, (http://fairwiki.riskmanagementinsight.com/?page_id=16). Based on your comment I went back to the Open Group Risk Taxonomy, which adopted the FAIR taxonomy, and sure enough, "level of effort" is used there instead of vulnerability. Jack must have updated it and the Introduction is now a bit out of date.

I will update the post.

Thanks for pointing this out.

-Kevin

I am writing to take a bit of issue with your use of the word “vulnerability” to describe one of the factors in your definition of “Action”.

It’s not that I don’t agree that attackers consider vulnerabilities, as typically understood (weaknesses and defects), as part of their decision matrix.

Rather, it’s because in the FAIR methodology, vulnerability has another, very specific definition: the probability that an asset will be unable to resist the actions of a threat agent.

That’s to say that if the threat capability is greater than the control resistance strength(s), then you have some degree of vulnerability; if not, then you are not vulnerable, to that threat, at least.

In my view, this specific definition of vulnerability is one of the most useful, powerful, and pragmatic concepts that FAIR brings to the risk assessment process.

The term I use in my work with FAIR is “Level of Effort” (I am pretty sure that this comes from Jack.)

Using “Level of Effort” captures something about the threat agent’s assessment of vulnerability, but puts the focus on the threat agent rather than on the asset, which is where I think it belongs when working this part of the decision tree.

My two cents worth –

Patrick