Security is often thought of as a level of risk to "assets". An asset is anything of value, like a password, 1000 hours of CPU time, the ability to execute software on a machine, customer credit card numbers, employee Social Security Numbers, etc.
A "vulnerability" can be thought of as weaknesses that an attacker who already has access to assets X1, X2, X3, ... can exploit to gain access to new assets Y1, Y2.
Vulnerabilities in a larger system can be modeled as a directed acyclic graph, where vulnerabilities and assets are nodes. The ancestor nodes to a vulnerability X are the prerequisites for exploiting X, and the child nodes are the new assets that are obtained via the exploit.
For example, a vulnerability in iPhones might let an attacker who already has these assets:
- Access to send SMS messages
- A telephone number of an iPhone
- Knowledge of a specific 75-character message
to gain the asset:
- Ability to crash and reboot the iPhone
Certain assets in the graph can be assigned an a-priori probability that an attacker would have the asset. For example, an asset of "ability to access the internet" might be given a probability P=1.0.
Vulnerabilities can be assigned a conditional probability P(exploit | assets) representing the probability that an attacker with the assets would exploit the vulnerability.
Given those a-priori assignments, the probability of a vulnerability could be calculated as a function of its parent assets:
The probability of an attacker exploiting V1
P(V1) = P(V1|X1 ∩ X2 ∩ ...) P(X1 ∩ X2 ∩ ...)
P(V1) = P(V1|X1 ∩ X2 ∩ ...) Πi P(Xi)
Similarly, if an asset Y1 can be acquired by exploiting any one of V1, V2, ...
then the probability of an attacker obtaining Y1 is
P(Y1) = 1 - Πi (1-P(Vi))
If you are also able to assign a-priori values Damage(Y1) to some of your assets, then you can calculate an expected value for mitigating a vulnerability by summing the expected values of all assets
∑i P(Yi) Damage(Yi)
both with and without the vulnerability present and taking the difference between them.