Security is often thought of as a level of risk to "assets". An asset is anything of value, like a password, 1000 hours of CPU time, the ability to execute software on a machine, customer credit card numbers, employee Social Security Numbers, etc.

A "vulnerability" can be thought of as weaknesses that an attacker who already has access to assets X_{1}, X_{2}, X_{3}, ... can exploit to gain access to new assets Y_{1}, Y_{2}.

Vulnerabilities in a larger system can be modeled as a directed acyclic graph, where vulnerabilities and assets are nodes. The ancestor nodes to a vulnerability X are the prerequisites for exploiting X, and the child nodes are the new assets that are obtained via the exploit.

For example, a vulnerability in iPhones might let an attacker who already has these assets:

- Access to send SMS messages
- A telephone number of an iPhone
- Knowledge of a specific 75-character message

to gain the asset:

- Ability to crash and reboot the iPhone

Certain assets in the graph can be assigned an a-priori probability that an attacker would have the asset. For example, an asset of "ability to access the internet" might be given a probability P=1.0.

Vulnerabilities can be assigned a conditional probability P(exploit | assets) representing the probability that an attacker with the assets would exploit the vulnerability.

Given those a-priori assignments, the probability of a vulnerability could be calculated as a function of its parent assets:

The probability of an attacker exploiting V_{1}

P(V_{1}) = P(V_{1}|X_{1} ∩ X_{2} ∩ ...) P(X_{1} ∩ X_{2} ∩ ...)

P(V_{1}) = P(V_{1}|X_{1} ∩ X_{2} ∩ ...) Π_{i} P(X_{i})

Similarly, if an asset Y_{1} can be acquired by exploiting any one of V_{1}, V_{2}, ...

then the probability of an attacker obtaining Y_{1} is

P(Y_{1}) = 1 - Π_{i} (1-P(V_{i}))

If you are also able to assign a-priori values Damage(Y_{1}) to some of your assets, then you can calculate an expected value for mitigating a vulnerability by summing the expected values of all assets

∑_{i} P(Y_{i}) Damage(Y_{i})

both with and without the vulnerability present and taking the difference between them.