@pidvicious That is the thing about being up against human adversaries, they are inherantly unpredictable.

@pidvicious Sometimes a person will do an unlikely thing because it is unlikely, and therefore more likely to work.

@pidvicious It is common to include threat actor likelihood of initiation and capability in risk calculations as it is a necessary component of determining probability of success, which combined with impact gives you risk.

@pidvicious "but wait" you might say, "you just said people are inherantly unpredictable!" Yes, individuals are, but populations are more predictable.

@pidvicious As long as it is taken as a generalization, and understood that it is impossible to account for unknown/unknowns or "black swan" events in risk models, then they are more useful than not.

@pidvicious This is my concern with the folks that are advocating for quantitative risk analysis over qualitative. There is no doubt that truly quantitative risk analysis would be far superior, if it actually works. But all of the quantitative risk models I've seen so far combine qualitative likelihood in with quantitative impact, and pass it off as a quantitative score ($x money over $y years), which gives it more gravitas. But risk scores should be treated as estimates of general behavior, not actual predictions, as I have not seen any model yet which provides accurate quantitative likelihood.

@pidvicious Beyond human behavior, I also believe it is an NP-hard problem to determine the attack graph itself, and most of them I've seen are overly simplistic.