The probable level of force that a threat agent is capable of applying against an asset.
Not all threat agents are created equal. In fact, threat agents within a single threat community are not all going to have the same capabilities. What this should tell us is that the probability of the most capable threat agent acting against an asset is something less than 100%. In fact, depending upon the threat community under analysis and other conditions within the scenario, the probability of encountering a highly capable threat agent may be remote.
As information security professionals we often struggle with the notion of considering threat agent capability as a probability. We tend, instead, to gravitate toward focusing on the worst case. But if we look closely at the issue, it’s clear that focusing solely on worst case is to think in terms of possibility rather than probability.
Another important consideration is that some threat agents may be very proficient in applying one type of force, and incompetent at others. For example, a network engineer is likely to be proficient at applying technological forms of attack, but may be relatively incapable of executing complex accounting fraud.
Next: Control Strength
January 12th, 2007 at 1:23 pm
[...] Being specific about our "Professional/Amateur" and "Technical/Non-Technical" labels are not nearly as important as what they represent. They really represent what we are saying about the Threat Capability rating of our our threat community. When we think of threat capability, we tend to think in terms of a distribution. More specifics are here. We can use the following chart to give rough, qualitative labels to reflect what we mean when we use terms like professional, and technical or non-technical in the context of a DCS/SCADA scenario, and what part of the overall "Threat Capability" distribution they’re sitting at. Note that we can get trickier with qualitative and quantitative labeling and what-not, but the idea today is to start using our nice, newly opened framework so we’ll stay at this rather simple level. [...]