Introduction to FAIR

Having covered the high-level factors that drive whether threat events take place, we now turn our attention to the factors that drive whether the asset is able to resist threat agent actions. Vulnerability is defined as:

The probability that an asset will be unable to resist the actions of a threat agent.

As you’ll recall from the Introduction, vulnerability exists when there’s a difference between the force being applied by the threat agent, and an object’s ability to resist that force. This simple analysis provides us with the two primary factors that drive vulnerability; Threat Capability and Control Strength. The figure below adds these factors to our taxonomy.

Vulnerability is always relative to the type of force involved. In other words, the tensile strength of a rope is pertinent only if the threat agent force is a weight applied along the length of the rope. Tensile strength doesn’t generally apply to a scenario where the threat agent is fire, chemical erosion, etc. Likewise, an antivirus product doesn’t provide much in the way of protection from the internal employee seeking to perpetrate fraud. The key, then, is to evaluate vulnerability in the context of specific threat types and control types.

One final point regarding vulnerability – there’s no such thing as being more than 100% vulnerable to any specific threat agent/attack vector combination. Vulnerability can exist such that harm can occur from more than one threat agent through more than one attack vector, but each of those represents a different potential threat event. For example, if I’m walking down the street at night in a particularly dangerous part of town, I’m vulnerable to multiple potential threat events, for example – being run over by a car, being mugged, or being the victim of a drive-by shooting. My vulnerability to any one of these events cannot exceed 100%, yet my aggregate risk is obviously greater as a result of the multiple threat scenarios.