Exploring F.A.I.R. – Taxonomy – Vulnerability

by kriggins on July 13, 2010

in fair

As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

In the last post in this series, a very very long time ago, we took a look at Threat Event Frequency (TEF). In its most simple form TEF means how often does a threat event happen.

We are now going to take a look at the other component of Loss Frequency (LF), Vulnerability. However, this is not how we normally think of vulnerability.

From the  Introduction, Vulnerability is:

The probability that an asset will be unable to resist the actions of a threat agent.

This is quite different than how we normally define vulnerability as information security professionals. We usually view vulnerability as a specific weakness in a system or application. In FAIR, vulnerability is an inverse measure of the ability of an asset to protect itself against the efforts of a threat agent.

A high probability means that the asset will likely be compromised and a low probability means that the asset will be able to effectively resist. You have to let that one percolate for a bit.

Vulnerability is made up of two factors and here we diverge a bit from the Introduction. Both the introduction and the Open Group Risk Taxonomy use Control Strength and Threat Capability as factors of Vulnerability. Jack has since modified this slightly. Threat Capability (TCap) is still used, but Control Strength has been changed to Resistance Strength (RS.) Let's talk about both of these for a second.

Resistance Strength is the probability that an asset can resist a baseline measure of force . Let's say I have a gate that keeps people from coming into my property. Someone on a bicycle would be kept out, but someone in a Mini Cooper wouldn't. We would probably say that the Resistance Strength at that point is pretty low. Replace that flimsy gate with a door to rival those protecting the installation in Cheyenne Mountain and our Resistance Strength goes through the roof.

Threat Capability is just what it sounds like. How capable are the evil doers that are attempting to compromise my asset. Are they riding bicycles or driving Abrams tanks.

Putting the two together, Resistance Strength and Threat Capability, gives us Vulnerability. For instance,  we have that super strong door we were talking about. There is a very high probability that the door will be able to resist a baseline or average level of force.  How about the evil dude on the bicycle? His Threat Capability is very low. Combining the two gives us a very low probability that the asset will be unable to resist the threat agent, i.e. we're going to be just fine.

Next time we are going to take a quick look at how Threat Event Frequency and Vulnerability define Loss Frequency and then we will start of the Probably Loss side of the Risk equation.

As always, please leave a comment or send me a note at kriggins@infosecramblings.com with your thoughts.


Enhanced by Zemanta

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: