Threat Event Frequency

Threat event frequency represents the number of times per year that an internal actor performs an action on the scoped asset that is not in accordance with the acceptable use policy (with or without malintent)

Vulnerability

Vulnerability (or susceptibility) represents the probability that loss occurs as a result of the action taken on the scoped asset

Primary Loss Magnitude

The loss event occurs once the internal actor causes a breach, outage, or compromise of the integrity of the asset. This typically triggers incident response, management, and containment efforts, at a minimum.

Secondary Loss Event Frequency

Secondary loss event frequency is modeled as the probability of responsive controls (such as backups, encryption, etc.) being circumvented and conditional (secondary) losses occurring.