Now that we have valid threat and vulnerability pairs, we now need to determine the likelihood that a given vulnerability will be acted upon by a threat source.

As you develop your information security program, the estimation of likelihood in this scenario should be a well-established repeatable process. While you can have multiple categories for likelihood, I recommend that you use only three (low, medium, and high). Using three categories keeps things simple and allows you to make a simpler decision, quicker decisions means you can move on to the real task of securing your organization. Ultimately, how many categories you use is dependent on your organizational culture and policies. Be careful when you start moving beyond three as people tend to start fighting over small points rather than the real issue.

A three-category likelihood scenario is defined as follows:

• High: The threat source is highly capable and motivated. The security controls in place are ineffective.
• Medium: The threat source is capable and motivated. The security controls in place may impede the successful exploitation of the vulnerability.
• Low: The threat source is not capable or motivated. Security controls are in place that impede the successful exploitation of the vulnerability.