How to derive Threat Event Frequency in FAIR using Contact Frequency and Probability of Action

Outline:

• Hook: TEF matters in risk math, and the right variables can simplify things.

• What is TEF in FAIR? A quick, plain-language definition.

• The two big players: Contact Frequency and Probability of Action

• How to combine them: a simple relationship and what to watch for

• Why the other options aren’t the direct way to derive TEF

• Put it to work: what this means for risk decisions

• Common gotchas and practical tips

• Quick recap and a final thought

Understanding TEF in FAIR: when two numbers tell the story

Let me ask you a practical question: when you’re sizing up risk, do you want to know how often trouble could knock on your door, or how likely troublemakers are to actually take action when they do? In many FAIR-based assessments, there’s a clean way to link exposure with behavior to estimate Threat Event Frequency (TEF) even if you don’t pin down TEF directly. Here’s the thing in plain terms: TEF answers “how often could a threat event occur?” by looking at two big levers—the rate at which a threat actor comes into contact with your asset, and the chance they’ll act on that contact. Put those together, and you’ve got a frequency, not just a risk snapshot.

What is TEF, really?

In FAIR, TEF is the expected number of threat events over a given period. It’s not about whether a breach will happen; it’s about how often a threat event could occur during the window you care about. Think of TEF as a clock that ticks with every meaningful interaction between a potential attacker and your system, adjusted by how likely they are to take action when they have the chance. It’s a bridge between exposure and action.

Meet the stars of the show: Contact Frequency and Probability of Action

• Contact Frequency: This is all about exposure. How often does a potential attacker interact with your asset, system, or data surface? It’s the tempo of their opportunities. If your system sits behind lots of gates, the contact frequency might be low; if it’s highly visible or easily accessible, it’s higher. In real terms, contact frequency is the rate at which the asset is in a position to be challenged or probed by someone with malicious intent.

• Probability of Action: This one’s about intent turning into action. When a threat actor has the chance to do something harmful, what are their odds of following through? This isn’t just “will they go for it?” It’s “given the situation, with the attacker’s motives, tools, and constraints, how likely is it that they’ll actually perform a damaging action?”

Together, these two pieces answer a practical question: if we watch for encounters with an asset and then weigh how often those encounters lead to harm, how often does a threat event realistically happen in the time frame we care about?

How to combine them (without overcomplicating things)

The core idea is straightforward: TEF is influenced by how often someone could interact with the asset, and how often they act once they’ve interacted. In simple terms:

TEF ≈ Contact Frequency × Probability of Action

• If an attacker touches the asset on average 10 times per month (contact frequency), and each touch has a 5% chance of escalating to a malicious action (probability of action), then the expected TEF is about 0.5 events per month.

• You can adjust the time window, of course. If you measure per week or per year, the numbers scale accordingly. The point is to keep the same timeframe for both factors so the multiplication makes sense.

A quick, tangible example helps: imagine a web portal that’s accessible to external users. Suppose, on average, a given attacker comes across the portal twice a week (contact frequency). If, when they encounter it, there’s a 10% chance they attempt something harmful (probability of action), you’d expect about 0.2 threat events per week. Over a month, that’s roughly 0.8 events—less than one event per month, but not negligible depending on the asset’s value or the potential impact.

Why the other options aren’t the direct path to TEF

• A. Contact Frequency and Vulnerability: Vulnerability matters for impact and the likelihood that a given attack succeeds, but TEF is about how often a threat event occurs, not how severe an event can be. Vulnerability tends to influence the loss given a threat event rather than the frequency of events themselves.

• C. Threat Capability and Resistance Strength: These factors are about what the attacker can do (capability) and what the defender can withstand (resistance). They influence whether a threat event happens and how severe it is, but they don’t pin down the simple frequency of events the way Contact Frequency combined with Probability of Action does.

• D. Threat Event Frequency cannot be derived: The right combination of Contact Frequency and Probability of Action gives you a practical way to approximate TEF, so TEF can be derived in many real-world scenarios. The method isn’t perfect in every context, but it’s widely applicable for estimating how often a threat event could occur.

Put simply: TEF comes from two things you can observe or estimate directly—how often those opportunities arise and how likely it is that, when they arise, they lead to action.

Why this pairing makes sense in risk modeling

Here’s the mental shortcut you’ll appreciate: Exposure and intent are the two pieces that turn a threat into a possible event. If you only know how often attackers contact your asset, you’re missing the “what then?” If you only know how likely they are to act, you’re ignoring how often they get the chance to act. Multiply the two, and you get a realistic cadence of threat events. It’s a practical balance between someone’s presence and their purpose.

A simple analogy: think of a doorbell and a thief

• Doorbell frequency is like Contact Frequency: how often a thief or tester rings the doorbell or scans the system for weaknesses.

• The thief’s resolve to swing a crowbar is like Probability of Action: once the doorbell rings, what are the odds they’ll break in?

If the doorbell rings rarely, or if most visitors are just curious neighbors, TEF stays low. If the doorbell rings often and thieves are determined, TEF climbs quickly. In both cases, understanding both pieces helps you forecast how often a real incident might pop up, so you can plan defenses accordingly.

Practical implications: using TEF to steer protection decisions

• Prioritize controls that reduce contact frequency and/or the probability of action. For example, reducing exposure (less visibility, stricter access controls) lowers contact frequency. Improving monitoring, alerting, and rapid containment lowers the likelihood that an encounter turns into action.

• Set sensible risk targets. If TEF is high, you might tighten detection, shorten the decision window for incident response, or patch a weak surface. If TEF is low, you can reallocate resources to focus on high-impact areas rather than chasing every low-probability encounter.

• Combine TEF with impact data to build a complete risk picture. TEF tells you frequency; impact tells you severity. Together, they yield expected loss, which is what most stakeholders actually care about.

Common pitfalls and practical tips

• Be careful with units and timeframe. If you measure Contact Frequency per day, keep Probability of Action as a daily figure too. Mixing weekly with daily can produce confusing numbers.

• Don’t treat Probability of Action as a fixed, universal constant. It varies by threat actor, context, and controls. You may need ranges or scenario-based estimates.

• Don’t assume all contacts are equally risky. Some contact types might have higher action probabilities. Weight the contacts by their risk profile.

• Remember this is a model, not a crystal ball. TEF is a useful estimate to guide decisions, not a guarantee of outcomes. Use it with other inputs (like vulnerability, impact, and existing controls) to form a balanced view.

• Use real-world data when you can. Incident logs, threat intel, and testing results can tune both contact frequency and probability of action, making TEF more credible.

A few notes on related concepts

• Threat Event Frequency sits in the broader FAIR framework alongside threat capabilities, control strength, vulnerability, and loss. TEF is part of the storytelling you do to explain how often things could go wrong, not just how bad it could be.

• The beauty of this approach is its practical feel. It nudges you to look at exposure and attacker intent side by side rather than treating risk as a single, opaque number.

Closing thought: a practical lens on potential risk

If you’re wrestling with how to estimate risk in a way that’s both actionable and grounded in real-world observations, leaning on Contact Frequency and Probability of Action to derive TEF is a clean, intuitive route. It ties the everyday reality of exposure to human behavior. You don’t need a magic formula; you need a sensible pairing of two observable facets: how often someone could interact with your asset, and how often they’d do something harmful once they have that chance.

As you work through risk analyses, keep that pairing in mind. It’s a simple engine that can power more informed decisions, better resource allocation, and a clearer story for stakeholders who want to know where risk comes from. And if you ever feel the numbers getting abstract, bring it back to the doorbell analogy—and you’ll see the logic click into place again.

If you’d like, we can walk through a quick scenario with your own asset in mind. We’ll sketch a plausible Contact Frequency, estimate a Probability of Action based on threat actor behavior, and compute a TEF to ground the whole concept in something tangible.