170 ◾ Appendix A
A.4.1.2.1 Risk Metrics
Risk metrics are those that measure threats, vulnerabilities, and associated risks to the
TTOA. reat is an external or internal circumstance/event that may cause potential
harm to the system. Vulnerability is a weakness of an information system or its com-
ponents that could be exploited to violate assurances in systems. Risk is the prob-
ability that a particular threat will exploit a particular vulnerability of the system.
e intelligent communities’ INFOSEC Risk Management Methodology provides
a consistent repeatable measurement method for determining IA risk of a system
by observing and analyzing the threats, vulnerabilities, and significance levels. e
result is a qualitative subjective measurement ...