FAIR Integration with Cyber Threats

Overview

FAIR (Factor Analysis of Information Risk) provides a robust framework for quantifying information security risk but lacks a structured approach to cyber threat categorization and struggles with modeling complex attack sequences. The TLCTC v2.0 framework dramatically enhances FAIR's capabilities by providing precise cyber threat categorization, temporal analysis through Attack Velocity (Δt), domain boundary modeling, and a rigorous methodology for understanding multi-stage cyber attacks. This updated integration guide incorporates TLCTC v2.0's new capabilities: four Velocity Classes (VC-1 through VC-4), Domain Boundary Operators for responsibility mapping, Data Risk Event (DRE) tags for outcome separation, and the nine R-* classification rules that ensure consistent threat mapping.

Full Specification Available

This blog post provides a high-level overview of the TLCTC-FAIR integration. The complete specification — including the Layer 4 JSON Schema, full FAIR ontology decomposition (FAIR Model v3.0, FAIR-CAM v1.0, FAIR-MAM), NIST CSF 2.0 control mapping, distribution specifications, and a worked example with validated JSON — is available in the TLCTC GitHub repository:

documentation/tlctc-fair-integration-proposal.md — Full proposal document
json-schemas/layer-4/tlctc-fair-risk.schema.json — JSON Schema (Draft 7)
json-schemas/layer-4/examples/ — Validated example instances

Illustration depicting the integration architecture between TLCTC v2.0 threat clusters and velocity data flowing into the FAIR quantitative risk quantification model's loss frequency and magnitude calculations. — **Conceptual Model:** Integrating TLCTC v2.0 Velocity & Clusters into the FAIR Risk Engine.

Current State Analysis

FAIR's Strengths

Strong quantitative risk analysis methodology with established loss magnitude calculations
Clear framework for calculating loss magnitude across primary and secondary loss forms
Established approach to control effectiveness evaluation
Proven methodology for risk prioritization and Monte Carlo simulation

FAIR's Limitations

Lacks explicit, standardized threat categorization taxonomy
Struggles with modeling complex, multi-stage attack sequences
Limited ability to represent parallel threat execution
No temporal dimension for defender response window analysis
Difficulty in modeling threat interdependencies and domain boundary crossings
No structured separation of causes (threats) from consequences (outcomes)

TLCTC v2.0's Complementary Capabilities

Precise threat categorization through 10 non-overlapping clusters (#1–#10) based on generic vulnerabilities
Strategic (#X) and Operational (TLCTC-XX.YY) notation layers for different audience needs
Attack Velocity (Δt) annotations measuring time between attack steps
Four Velocity Classes (VC-1 to VC-4) mapping to defender response capabilities
Domain Boundary Operators ||[context][@Source→@Target]|| for responsibility mapping
Data Risk Event (DRE) tags separating causes from consequences (C/I/A)
Nine R-* classification rules ensuring consistent threat mapping
Bridge clusters (#8, #9, #10) and Internal clusters (#1–#7) topology

TLCTC v2.0 Notation Reference

Before diving into FAIR integration, understanding TLCTC v2.0's enhanced notation is essential. The framework now provides comprehensive attack path documentation capabilities.

Attack Path Notation

Element	Notation	Example
Sequential steps	`→` or `->`	`#9 → #4 → #1`
Velocity annotation	`→[Δt=value]`	`#9 →[Δt=2h] #4`
Parallel steps	`(#X + #Y)`	`(#1 + #7)`
Domain boundary	`\|\|[ctx][@Src→@Tgt]\|\|`	`#10 \|\|[dev][@Vendor→@Org]\|\|`
Data Risk Event	`+ [DRE: X]`	`#2 + [DRE: C, I]`

Velocity Classes

Velocity Classes map Δt ranges to defender response capabilities. This is a critical enhancement for FAIR integration—it determines which control types are structurally viable for a given attack transition.

Class	Time Range	Response Mode	Control Strategy
VC-1	Days → Months	Strategic	Log retention, threat hunting, strategic monitoring
VC-2	Hours	Tactical	SIEM alerting, analyst triage, guided response
VC-3	Minutes	Operational	SOAR/EDR automation, rapid containment
VC-4	Seconds → ms	Real-Time	Architecture, circuit breakers, hardening

Enhanced Integration Framework

1. Risk Quantification Enhancements

TLCTC v2.0 provides four key enhancements to FAIR's risk quantification methodology:

Sequence Complexity Factor (SCF)

Accounts for attack path length, complexity, and velocity variance. TLCTC v2.0's Δt annotations provide empirical data for calculating realistic SCF values.

SCF = f(path_length, parallel_groups, velocity_variance)

Where velocity_variance captures the spread across Velocity Classes within a single path—paths with mixed VC-4 and VC-1 transitions require different control strategies than uniform-velocity paths.

Compound Threat Multipliers (CTM)

Models simultaneous threat execution using TLCTC's parallel operator notation. When threats execute in parallel, the combined probability and impact differ from sequential execution.

CTM(#X + #Y) = 1 + synergy_factor(X, Y)

Synergy factors are highest when parallel clusters target orthogonal defenses. For example, (#1 + #7) combining function abuse with malware execution often bypasses controls tuned to either threat alone.

Velocity-Weighted Control Effectiveness (VWCE)

A critical v2.0 enhancement: control effectiveness MUST be weighted by Velocity Class. A control that is highly effective against VC-1 attacks may be structurally irrelevant against VC-4 attacks.

VWCE(control, transition) = base_effectiveness × VC_applicability_factor

Example: Security Awareness Training has high base_effectiveness against #9, but VC_applicability drops to near-zero for VC-4 transitions where the human has <1 second to respond.

Path Variance Analysis (PVA)

Evaluates multiple potential attack paths using TLCTC notation. v2.0's Domain Boundary Operators enable more precise path differentiation based on responsibility sphere crossings.

Total_Risk = Σ(Path_Risk_i × Path_Probability_i)

2. Implementation Framework

The following phases integrate TLCTC v2.0 analysis into the FAIR methodology:

Phase	Activities
Threat Modeling	Use R-* rules to classify threats into TLCTC clusters Map potential attack sequences with Δt annotations Identify parallel threat executions and domain boundary crossings Document responsibility sphere handoffs using `\|\|...\|\|` notation
Risk Analysis	Calculate SCF based on TLCTC sequence length/complexity Apply CTM for parallel groups identified via TLCTC notation Perform PVA evaluating alternative TLCTC paths Apply VWCE based on Velocity Class per transition
Risk Reporting	Document primary attack sequences using v2.0 notation Map controls to specific clusters with VWCE ratings Calculate enhanced risk scores incorporating velocity Record outcomes separately using DRE tags

Real-World Application: SCATTERED SPIDER

The following example demonstrates TLCTC v2.0 notation applied to a documented identity-driven attack, incorporating all v2.0 enhancements including velocity annotations, domain boundaries, and DRE outcome tags.

Attack Path (Full v2.0 Notation)

attack_path_notation.txt

#9 ||[human][@External→@Org(HelpDesk)]|| →[Δt<1m] #4 →[Δt=2-5m] #1 →[Δt=hours] #4 →[Δt<24h] #7 + [DRE: C, A]

Step-by-Step Analysis

Step	Cluster	Velocity	Description
1	#9	Bridge entry	Help desk vishing attack (R-HUMAN applies)
2	#4	Δt<1m (VC-4)	Account takeover — real-time velocity!
3	#1	Δt=2-5m (VC-3)	MFA device registration, evidence deletion
4	#4	Δt=hours (VC-2)	Lateral credential theft (ntds.dit extraction)
5	#7	Δt<24h (VC-2)	Ransomware deployment + [DRE: C, A]

FAIR Enhancement Application

# Apply SCF for 5-step sequence
SCF = base_factor × (1 + log(path_length)) × velocity_variance_penalty

# Apply VWCE — key insight from v2.0:
# The #9→#4 transition at VC-4 velocity means:
#   - Human-dependent controls (awareness training) = ~0% effective
#   - Only architectural controls matter at this transition

# Domain boundary insight:
# ||[human][@External→@Org(HelpDesk)]|| identifies help desk as attack surface

Control Effectiveness by Velocity Class

A critical v2.0 insight: control effectiveness is not absolute—it varies by Velocity Class. The Layer 4 specification organizes controls through a three-tier hierarchy: NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) as strategic objectives, FAIR-CAM v1.0 domains (Prevention, Detection, Response) as analytical categories, and VWCE ratings per Velocity Class for structural viability. The following matrix provides calibration guidance:

Click to Enlarge

Figure 1: Velocity-Weighted Control Effectiveness (VWCE) Matrix

Benefits of v2.0 Integration

More Accurate Risk Quantification:
- Velocity-weighted control effectiveness prevents overestimating defenses against fast attacks
- Domain boundary annotations identify responsibility gaps and handoff risks
- DRE separation ensures clean cause-consequence analysis
Improved Control Evaluation:
- R-* rules ensure consistent threat-to-cluster mapping across analyses
- Velocity Classes reveal which control types are structurally viable
- Bridge/Internal cluster topology guides control placement
Enhanced Communication:
- Strategic (#X) notation for executive reporting
- Operational (TLCTC-XX.YY) notation for technical teams
- Velocity annotations translate to defender response requirements
Better Resource Allocation:
- VWCE guides investment toward controls effective at observed velocities
- Responsibility sphere mapping identifies accountability gaps
- Path variance analysis prioritizes highest-likelihood attack routes

Layer 4: Risk Quantification Schema

The TLCTC-FAIR integration is formalized as Layer 4 in the TLCTC JSON architecture — a new machine-readable schema that bridges Layer 3 attack path analysis with FAIR risk quantification:

Layer	Purpose	Mutability
Layer 1	Framework dictionary — clusters, axioms, rules	Static
Layer 2	Reference registries — spheres, boundary contexts	Context
Layer 3	Attack path instances — incident analyses	Dynamic
Layer 4	FAIR risk quantification — financial risk modeling with SCF, CTM, VWCE, PVA	Risk

Layer 4 instances reference Layer 3 attack paths and enrich them with FAIR factor estimates using standard distributions — Beta-PERT for frequency (min/mode/max/confidence), lognormal for magnitude (5th/95th percentile) — ensuring compatibility with existing FAIR tooling. The schema models the complete FAIR decomposition tree (FAIR Model v3.0), maps controls through NIST CSF 2.0 → FAIR-CAM v1.0 → VWCE, and captures all four TLCTC enhancement factors per transition.

JSON Schema

The full Layer 4 JSON Schema (Draft 7), integration proposal, and validated examples are available in the TLCTC GitHub repository under json-schemas/layer-4/. The schema follows the same conventions as Layers 1–3: strict validation, explicit required fields, and extensions for forward-compatibility.

Final Risk Calculation

The enhanced FAIR risk score integrates TLCTC v2.0 factors:

Enhanced_FAIR_Risk = f(Base_FAIR_Risk, SCF, CTM, PVA, VWCE)

Adjusted_LEF = Base_LEF × SCF × Σ(CTM_i)
Adjusted_LM  = Base_LM × VWCE_impact_factor
Total_Risk   = Σ(Adjusted_LEF_j × Adjusted_LM_j × path_probability_j)

Where:

SCF: Sequence Complexity Factor — reduces LEF based on path length, parallel groups, and velocity variance
CTM: Compound Threat Multipliers — synergy/interference factors for parallel cluster execution
PVA: Path Variance Analysis — weighted aggregation across alternative attack routes
VWCE: Velocity-Weighted Control Effectiveness — per-transition control viability (base_effectiveness × vc_applicability)

References

• TLCTC Framework v2.0 Whitepaper: tlctc.net
• FAIR Institute: FAIR Model v3.0, FAIR-CAM v1.0, FAIR-MAM v1.0 (January 2025)
• The Open Group: Open FAIR Risk Taxonomy (O-RT) v3.1, Risk Analysis (O-RA) v2.1 (2025)
• FAIR Institute: Cyber Risk Scenario Taxonomy (FAIR-CRS), February 2025
• NIST Cybersecurity Framework (CSF) v2.0, February 2024
• CrowdStrike 2025 Global Threat Report (attack velocity benchmarks)
• TLCTC GitHub Repository — Layer 4 JSON Schema and full integration proposal

TLCTC v2.0 — Bridging quantitative risk analysis with structured threat intelligence