Hello David. Nice to hear from you. I still like those 2 factors and see them as very similar (”does what it’s supposed to” ~ “coverage of attack surface”, “to the degree it’s supposed to” ~ “potential strength”), except your 1&2 get closer to measurement/calculation of effectiveness.

As for “adding competence”…from my experience, anything you do has that built-in already.

In some past work we opined that control effectiveness was a function of two factors: (1) the potential strength of the control , and (2) the coverage of the attack surface by the control. Perhaps I should add a competence factor to my next version of the algorithm.

Would ‘effectiveness’ and ‘cost’ cover (even if indirectly) the organization’s ability to manage/use the control? In other words, if they are not equipped to manage it well, it may not do what it’s supposed to do (effectiveness) or it may be too expensive or difficult (cost) to maintain/use it at effective levels. I completely agree an organization’s ability to manage and use a control is an important ingredient…I’m just thinking it’s encompassed somewhere within cost and effectiveness. Am I off or missing your intent?

Good point about ‘cost’ being a better word than ‘price’. It was not my intention to limit ‘price’ to only refer to $, but I see (and agree) that it reads that way. I’ve modified accordingly. Thanks.

First, I wanted to point you over to Chris’ Risktical blog.  He’ll be doing a FAIR analysis over there that looks interesting.  It’s nice that Chris is dedicating his time on this, given the amount of PCI work he’s got on his …..