Probability of Action (PoA) Rubric
- FAIR INTEL
- 6 days ago
- 4 min read
Overview
Probability of Action (PoA) measures the likelihood that a threat actor will act once contact with a target occurs. In FAIR methodology, PoA captures the threat actor's motivation and commitment to follow through on an attack opportunity.
PoA is expressed as a decimal between 0.00 and 1.00 and is combined with Contact Frequency (CF) to calculate Threat Event Frequency (TEF):
TEF = CF × PoAPoA Estimation Context
Inferred vs. Observed Probability of Action
This rubric estimates PoA based on threat intelligence reporting, not direct observation. PoA is inferred from:
Actor's historical behavior and follow-through patterns
Stated or implied motivations
Resource investment in campaign infrastructure
Target alignment with actor's known objectives
Disclaimer
The PoA values in this analysis are inferred from threat intelligence reporting and represent analyst judgment based on observable indicators. Actual probability of action may vary based on factors not visible in reporting.
Probability of Action Scale
Scale Design: Equal Intervals
The PoA scale uses equal 0.20 intervals for consistency and simplicity:
Tier | Range | Meaning |
Very High | 0.80-1.00 | Near certainty of action; actor is highly motivated and committed |
High | 0.60-0.80 | Strong likelihood of action; actor has clear motivation and demonstrated commitment |
Moderate | 0.40-0.60 | Uncertain; actor may or may not act depending on circumstances |
Low | 0.20-0.40 | Action unlikely unless conditions are favorable; actor is opportunistic or distracted |
Very Low | 0.00-0.20 | Action rare; actor has minimal motivation or competing priorities |
Why Equal Intervals?
Unlike CF (which uses calendar-anchored cutoffs), PoA represents a probability. Equal intervals:
Are intuitive to interpret (each tier spans 20 percentage points)
Avoid arbitrary cutoffs
Align with common probability language (e.g., "60-80% likely" = High)
Probability of Action Rubric
Tier | Range | Observable Criteria |
Very High | 0.80-1.00 | State-sponsored actor with strategic mandate. Clear financial monetization path with proven success. Target exactly matches known victimology. Significant sunk cost in campaign (custom tooling, infrastructure). Actor has history of persistent follow-through. No indication of competing priorities. |
High | 0.60-0.80 | Established actor with consistent operational history. Clear motivation (financial, espionage, hacktivism). Target aligns with known targeting patterns. Dedicated campaign infrastructure observed. Actor demonstrates adaptability when initial attempts fail. |
Moderate | 0.40-0.60 | Actor motivation is mixed or unclear. Target partially aligns with known patterns. Campaign infrastructure is shared or minimal. Actor may pursue easier targets if resistance encountered. Some history of abandoned campaigns. |
Low | 0.20-0.40 | Opportunistic actor without clear strategic objectives. Target is peripheral to main victimology. Minimal campaign investment observed. Actor known to shift focus frequently. Action depends heavily on target vulnerability. |
Very Low | 0.00-0.20 | Actor has no apparent motivation for this target type. Target does not match any known patterns. No dedicated infrastructure. Actor is dormant, disrupted, or focused elsewhere. Action would only occur through error or accident. |
Evidence Mapping Guide
Use the following to map article evidence to the appropriate tier.
Motivation
Observable Evidence | Typical Tier |
State directive or strategic espionage mandate | Very High |
Proven financial model (ransomware, fraud, data sales) | Very High |
Clear ideological or hacktivist objective | High |
Financial motivation without proven monetization | Moderate |
Unclear or mixed motivations | Moderate |
Opportunistic, no clear objective | Low |
No apparent motivation for target type | Very Low |
Operational Commitment
Observable Evidence | Typical Tier |
Multi-year campaigns against same target set | Very High |
Persistent retargeting after initial failure | Very High |
Sustained campaigns with regular activity | High |
Adapts TTPs in response to defenses | High |
Single campaign or limited duration | Moderate |
Abandons campaigns when resistance encountered | Low |
Sporadic activity, easily deterred | Low |
No sustained operational history | Very Low |
Resource Investment
Observable Evidence | Typical Tier |
Custom malware, zero-days, dedicated infrastructure | Very High |
Multiple custom tools, sustained infrastructure | High |
Mix of custom and public tools | Moderate |
Primarily public tools, minimal infrastructure | Low |
Off-the-shelf tools only, free infrastructure | Very Low |
Target Alignment
Observable Evidence | Typical Tier |
Target exactly matches known victimology | Very High |
Target aligns with sector and geographic focus | High |
Target partially matches (sector OR geography) | Moderate |
Target is adjacent to known targeting | Low |
Target does not match any known patterns | Very Low |
Determining the Tier
Map article evidence to each of the four categories above
Identify the tier that appears most frequently across categories
If evidence is mixed (e.g., two High, two Moderate), select the tier that best reflects overall threat posture and document the uncertainty
Select the full range for that tier—do not pick a point estimate
Endpoint Justification
Each PoA estimate must justify what conditions push toward the low versus high end of the selected tier range.
Factors That Push Toward Low End of Range
Target is lower-value within the profile
Actor has competing campaign priorities
Limited sensitive data exposure at target
Actor has shown inconsistent follow-through
Target has demonstrated strong defenses
Factors That Push Toward High End of Range
Target is high-value within the profile
Target aligns with strategic objectives
Target holds sensitive data of interest
Actor has persistent operational history
Target has weak or unknown defenses
Handling Insufficient Evidence
When threat intelligence does not provide sufficient evidence to map to rubric criteria:
Step | Action |
1 | Identify which rubric criteria cannot be assessed |
2 | Document the specific evidence gap |
3 | Default to Moderate tier as baseline |
4 | Mark estimate as [LOW CONFIDENCE] |
5 | Note impact on analysis reliability |
6 | Recommend update when additional intelligence becomes available |
Why Default to Moderate?
Moderate represents the mathematical center of the scale
Avoids overstating (High/Very High) or understating (Low/Very Low) risk
Provides a consistent, repeatable baseline across analyses
Allows calculations to proceed while flagging uncertainty
When NOT to Default
Do not default to Moderate if:
Evidence explicitly indicates a different tier (even if incomplete)
Partial evidence strongly suggests High or Low
The analysis would be misleading with a Moderate estimate
In these cases, use the best available evidence and document the uncertainty.
Scale Limitations
1. PoA is Not Directly Observable
Unlike technical indicators, probability of action cannot be measured directly. It is inferred from:
Historical behavior patterns
Observed resource investment
Target alignment analysis
Attribution confidence
Different analysts may reach different conclusions from the same evidence.
2. Motivation is Often Unknown
Threat intelligence rarely provides definitive insight into actor motivation. Analysts must infer motivation from:
Targeting patterns
Data exfiltration behavior
Monetization attempts
Attribution to known groups
Low-confidence attribution weakens PoA estimates.
3. PoA Can Change Rapidly
Unlike CF (which reflects operational tempo), PoA can shift based on:
Geopolitical events
Law enforcement actions
Target defensive changes
Actor leadership changes
PoA represents a point-in-time estimate.
4. Ranges Reflect Uncertainty
The ranges (e.g., 0.60-0.80) represent analyst uncertainty, not variability in actor behavior. Use the full range in calculations.
Version History
Version | Date | Changes |
3.0 | January 2026 | Revision |
Comments