karashDec 21, 2022

For those that deal with attack trees/graphs in #infosec, how much weight do you put into probability? To me, human probability is an arbitrary and unnecessary metric.

Am I wrong to think that human probability (e.g., skill set, demographic, likelihood of successful compromise) is far too random to be considered in a tabletop attack tree variable?

I'm trying to determine why this is a common thing.

Show threadEl Jefe "

@pidvicious no weight whatsoever. Over time I have been conditioned by constant reminder during 2 decades of incidents that you must assume the problem is a human, exists between keyboard & chair, and despite all the training in the world, will *always* be able to coerce a victim into clicking on a phishing link.

In other words, it is not a variable, it is a constant, and it will always trigger.

Dec 21, 2022 at 5:13amWeb