Control Strength (CS), Control Failure Rate, and Resistance Strength (RS) Rubric
- FAIR INTEL
- 6 days ago
- 4 min read
Overview
These three variables represent the defender side of the FAIR model. Unlike TCap (which measures attacker capability from threat intelligence), CS and RS measure organizational defensive posture. Because threat intelligence does not contain information about the reader's specific control environment, this analysis uses fixed baseline values representing a "typical mid-maturity organization." Readers should adjust based on their actual control implementation.
The Relationship
CS (Control Strength) - Failure Rate = RS (Resistance Strength)RS then combines with TCap to determine Vulnerability:
Vulnerability = TCap / (TCap + RS)Why Fixed Baseline Values?
Threat intelligence tells us about the attacker. It does not tell us about the defender.
Variable | Source | Available from Threat Intel? |
TCap | Attacker tools, techniques, resources | Yes |
CS | Defender control implementation | No |
Failure Rate | Defender control reliability | No |
RS | Defender effective resistance | No |
To produce a complete risk calculation, we assume a typical mid-maturity organization as the baseline. This allows:
Consistent, repeatable analysis across reports
A starting point for organizational self-assessment
Meaningful comparison of threats against a common baseline
Baseline Values
Variable | Baseline Value | Rationale |
CS | 0.50 | Mid-maturity organization with standard controls and some gaps |
Failure Rate | 0.05 | Controls fail approximately 5% of the time. Based on observed telemetry where organizations receive thousands of malicious emails monthly but only a small fraction pass through filters. |
RS | 0.45 | Effective resistance after accounting for failures (0.50 - 0.05) |
Control Strength (CS) Scale
CS measures how well an organization's controls are implemented and maintained against the threat's specific techniques.
Tier | Range | Description |
Very High | 0.80-1.00 | Mature security program with defense-in-depth. Controls specifically address threat TTPs. Continuous monitoring, rapid detection, and automated response. Regular testing and validation. |
High | 0.60-0.80 | Strong controls with minor gaps. Most threat TTPs are addressed. Good detection capability with some blind spots. Regular but not continuous validation. |
Moderate | 0.40-0.60 | Standard controls with known gaps. Some threat TTPs addressed, others not. Reactive posture. Periodic assessments. This is the baseline for a typical mid-maturity organization. |
Low | 0.20-0.40 | Basic controls with significant gaps. Few threat TTPs specifically addressed. Limited detection capability. Infrequent assessment. |
Very Low | 0.00-0.20 | Minimal controls. Poor security hygiene. Little to no detection capability. No formal security program. |
Control Failure Rate Scale
Failure Rate measures how often controls fail to perform as expected when needed.
Tier | Range | Description |
Very High | 0.20-0.30 | Controls frequently fail. Widespread misconfiguration. No validation or testing. High alert fatigue leading to missed detections. |
High | 0.10-0.20 | Controls often fail. Inconsistent configuration. Infrequent testing. Significant alert fatigue. |
Moderate | 0.05-0.10 | Controls sometimes fail. Some misconfiguration. Periodic testing. Moderate alert fatigue. 0.05 is the baseline for a typical organization. |
Low | 0.02-0.05 | Controls rarely fail. Consistent configuration. Regular testing and validation. Managed alert volume. |
Very Low | 0.00-0.02 | Controls almost never fail. Rigorous configuration management. Continuous validation. Well-tuned alerting with minimal fatigue. |
Resistance Strength (RS) Calculation
RS = CS - Failure RateScenario | CS | Failure Rate | RS | Interpretation |
Baseline (mid-maturity) | 0.50 | 0.05 | 0.45 | Typical organization |
Improved controls | 0.70 | 0.05 | 0.65 | Better control implementation |
Strong controls | 0.90 | 0.02 | 0.88 | Mature security program |
Weak controls | 0.30 | 0.15 | 0.15 | Immature security program |
How RS Affects Vulnerability and LEF
Using the simplified Vulnerability formula:
Vulnerability = TCap / (TCap + RS)Example with TCap = 0.70 (High):
Scenario | RS | Vulnerability | TEF | LEF |
Weak controls | 0.15 | 0.82 (82%) | 4.5/year | 3.69 losses/year |
Baseline | 0.45 | 0.61 (61%) | 4.5/year | 2.75 losses/year |
Improved | 0.65 | 0.52 (52%) | 4.5/year | 2.34 losses/year |
Strong | 0.88 | 0.44 (44%) | 4.5/year | 1.98 losses/year |
Key insight: The same threat (same TEF, same TCap) results in different loss frequencies depending on organizational controls.
How the Math Travels
The formulas are designed so that better defenses reduce risk:
Change | Effect on RS | Effect on Vulnerability | Effect on LEF |
Higher CS | ↑ Increases | ↓ Decreases | ↓ Decreases |
Lower Failure Rate | ↑ Increases | ↓ Decreases | ↓ Decreases |
Lower CS | ↓ Decreases | ↑ Increases | ↑ Increases |
Higher Failure Rate | ↓ Decreases | ↑ Increases | ↑ Increases |
This reflects reality:
Better controls = fewer successful attacks
More reliable controls = fewer successful attacks
TEF stays constant (the threat keeps trying regardless of your controls)
LEF changes based on how often those attempts succeed
Improvement Guidance
The analysis will map observed threat TTPs to:
Relevant NIST 800-53 Controls - Which controls address the specific techniques used
Technologies - EDR, network segmentation, MFA, etc. that would improve CS
Improvement Scenarios - Quantified impact of control improvements on LEF
Example Control Mapping
For a threat using watering-hole attacks, AMSI bypass, and credential theft:
TTP | NIST 800-53 Controls | Technologies | CS Impact |
Watering-hole delivery | SC-7 (Boundary Protection), SI-3 (Malware Protection) | Web proxy, browser isolation | +0.05-0.10 |
AMSI/ETW bypass | SI-4 (System Monitoring), SI-7 (Software Integrity) | EDR with behavioral detection | +0.05-0.10 |
Credential theft | IA-2 (Multi-factor Auth), IA-5 (Authenticator Management) | MFA, credential vaulting, PAM | +0.05-0.10 |
Example Improvement Scenario
Baseline: CS = 0.50, Failure Rate = 0.05, RS = 0.45
After implementing EDR + MFA + browser isolation:
CS improves from 0.50 to 0.70 (+0.20)
Failure Rate stays at 0.05
RS improves from 0.45 to 0.65
Impact on risk (TCap = 0.70, TEF = 4.5/year):
Vulnerability: 0.61 → 0.52 (15% reduction)
LEF: 2.75/year → 2.34/year (15% reduction)
Disclaimer
CS, Failure Rate, and RS values in this analysis use fixed baselines representing a typical mid-maturity organization. Actual organizational resistance may be higher or lower. Organizations should assess their own control implementation against the mapped TTPs and adjust RS accordingly for accurate risk calculation.
Limitations and Assumptions
Organization-specific data unavailable - Threat intelligence does not reveal defender posture; baseline assumptions are necessary
Mid-maturity assumption - Baseline assumes typical controls; actual organizations vary widely
Failure Rate estimation - 5% failure rate is based on observed telemetry where most malicious content is blocked but a small fraction passes through; actual rates depend on control maturity and validation practices
Linear improvement - Control improvements are shown as additive; actual improvement may vary based on control interdependencies
TTP-specific controls - Control effectiveness varies by technique; a control strong against one TTP may be weak against another
Version History
Version | Date | Changes |
1.0 | January 2026 | Initial publication |
Comments