Threat Event Frequency

Threat event frequency represents the number of times per year that a threat actor performs a targeted web application attack with the intent of causing harm to the scoped asset (may or may not be the web app itself, depending on the analysis).

Vulnerability

Vulnerability (or susceptibility) represents the probability that the threat actor can circumvent any one of the relevant control groups (application code, infrastructure, or boundary hardening) and successfully compromise the web application with a code exploit.

Primary Loss Magnitude

The loss event occurs once the threat actor compromises the web application and accesses the asset. This typically triggers incident response, management, and containment efforts, at a minimum

Secondary Loss Event Frequency

Secondary loss event frequency is modeled as the probability of responsive controls (such as backups or encryption) being circumvented and conditional (secondary) losses occurring.