99Risk Management
• The intent gap—Describing how conditions found would reasonably lead
an attacker (based on past tactics, motivation, and similar factors) to con-
clude that the rewards associated with successfully exploiting a vulnerabil-
ity outweigh the risks of failure, of being identied as the attacker, or of
being apprehended
This description would also benet from an understanding of the organizational
breadth and depth associated with any vulnerability. Although all vulnerabilities
are “owned” by the enterprise since they map directly to assets used to achieve
objectives, there are differing parameters that describe the mitigative effect that the
organization can exert on the vulnerability in order to address it. These parameters ...