1. Some qualitative methodologies blur the significant distinctions between (a) “X is more probable than not;” (b) “X is just as probable as not;” and (c) “X is less probable than not.” (a) means that X has a probability greater than 50% — X is probably true. (b) means that X is just as likely as not-X; therefore, there is no reason to favor one over the other. Finally, (c) means that X is improbable – it has a probability less than 50% — and is therefore probably false. Some qualitative methodologies blur these distinctions. For example, many qualitative methodologies employ a High/Medium/Low interval scale. It is obvious that the “High” interval captures the meaning of (a) and the “Low” interval captures the meaning of (c). But what about the “Medium” interval? Since the “Medium” interval often represents some undefined range of probability values that include values less than 50%, the precise value of 50%, and values greater than 50%, the “Medium” interval blurs the distinctions between (a), (b), and (c). Moreover, in such methodologies, there is no interval specifically reserved for capturing events that have an exact probability of 50%, a value that is highly significant in decision theory.
Nor are these problems solved by providing vague, pseudo-definitions for numerical entities. For example, the NIST “Risk Management Guide for Information Technology Systems,” Section 3.5 includes a standard 3-tier interval scale for probability, but the numerical ranges represented by the three intervals are not described anywhere in the Guide. Instead, the three intervals are defined non-numerically. NIST defines its intervals as follows.
High: The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
Medium: The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
Low: The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.
Popularity: 10%
