The Difference Between a Security Risk, Vulnerability and Threat
posted by John Spacey, December 09, 2012It's often the most basic definitions that are most easy to get wrong.
When it comes to information security there are no more important concepts than risk, threat and vulnerability.
The difference between these terms might seem obvious. Nevertheless, they are frequently misused.
Threat
When did the future switch from being a promise to a threat?A threat is something bad that might happen.
~ Chuck Palahniuk
It's as simple as that. A more complex definition wouldn't be anymore helpful.
From a security perspective the first threat that pops to mind is a security attack. However, a threat can range from innocent mistakes made by employees to natural disasters.
Vulnerability
Vulnerability is the birthplace of innovation, creativity and change.It's common to define vulnerability as "weakness" or as an "inability to cope". Both of these definitions are completely wrong (from a security and risk management perspective).
~ Brene Brown
A better definition of vulnerability is "exposure".
If you give a presentation at a conference it might open you to criticism or even ridicule. Plenty of people have a fear of public speaking for this very reason. However, the act of giving a speech isn't a weakness it's an exposure.
Connecting a system to the internet can represent a vulnerability. For example, it exposes a system to a DDoS attack. However, connecting a system to customers via the internet isn't likely to be considered a weakness from a business perspective.
Risk
No man is worth his salt who is not ready at all times to risk his well-being, to risk his body, to risk his life, in a great cause.Risk is a chance that something unexpected will happen. It's the combination of threats and vulnerabilities:
~ Theodore Roosevelt
Risk = Threats x Vulnerabilities
IT security professionals tend to think of risk as bad. They might define it as the "chance that something bad will happen".
However, from a business perspective risk can be considered a good thing. Therefore, risk management professionals treat risks as potentially positive.
Secure Code Review Checklist A simple checklist for secure code reviews. |
Yes, architect is a verb. Some dictionaries list it as a verb and others do not. The ones that don't haven't caught up with the modern usage of the word architect. |
The most important diagram in all of business architecture — without it your EA efforts are in vain. |
Recently on Simplicable
6 Steps To Business Process Management Successposted by Anna MarWant to automate, monitor, measure and continually optimize your business? You might need BPM. |
6 Reasons You Need a SaaS Data Escrow Serviceposted by Anna MarIf you use SaaS you need a data escrow service — here's why. |
5 Common Current State Architectural Blueprint Mistakesposted by Anna MarA current state architectural blueprint is essential to your success as an IT organization. After all, you can't effectively manage a complex architecture that's not documented. |
9 Reasons You Need a Current State Architectural Blueprintposted by Anna MarA current state enterprise architecture blueprint represents your organization's high level architecture. It's probably the most important documentation that any IT organization can create and maintain. |