5. Likelihood

Likelihood of occurrence

The likelihood of occurrence is a weighted risk factor that analyzes the probability of a threat exploiting a vulnerability (or set of vulnerabilities). This likelihood combines an estimate of the probability that a threat event will be initiated with an estimate of the likelihood of its impact (i.e., the chance that the event will result in adverse effects).

Adversarial threats

For adversarial threats, the assessment of likelihood is typically based on:

Adversary intent

Adversary intent refers to the adversary's motivation or desire to carry out an attack, whether for financial gain, data theft, disruption, or espionage. It indicates the willingness and determination of an adversary to initiate harmful actions against a target.

Adversary targeting

Adversary targeting involves the selection of specific targets, reflecting who or what the adversary aims to attack based on their goals, motivations, or perceived vulnerabilities.

Adversary capability,

Adversary capability refers to the skills, resources, and tools available to an adversary that enable them to execute an attack effectively, including their technical skills, infrastructure, and support networks.

Non-adversarial threats

For non-adversarial threats, the likelihood of occurrence is estimated using historical evidence, empirical data, or other relevant factors. The likelihood of a threat event is assessed over a specific time frame (e.g., the next six months, the next year, or until a particular milestone). If an event is almost certain to occur within this period, the risk assessment may also consider its estimated frequency.

Likelihood of impact

The likelihood of impact addresses the probability that a threat event will cause adverse effects, regardless of the expected severity of harm.

(Source: NIST SP 800-30)

Likelihood of occurrence​

Adversarial threats​

Adversary intent​

Adversary targeting​

Adversary capability,​

Non-adversarial threats​

Likelihood of impact​