The probability that a threat agent will act against an asset once contact occurs.
Once contact occurs between a threat agent and an asset, action against the asset may or may not take place. For some threat agent types, action always takes place. For example, if a tornado comes into contact with a house, action is a foregone conclusion. Action is only in question when we’re talking about “thinking†threat agents such as humans and other animals, and artificially intelligent threat agents like malicious programs (which are extensions of their human creators).
The probability that an intentional malicious act will take place is driven by three primary factors:
- Asset value – from the threat agent’s perspective
- Vulnerability – the threat agent’s expectation of success
- Risk – the probability of negative consequences to the threat agent – i.e., the probability of getting caught and suffering unacceptable consequences.
Next: Vulnerability
Leave a Reply