Our cyber security team uses these terms daily. The problem is we often need to communicate things to people who don’t understand our ‘language’. When we use the terms, we understand the context but others may not and there needs to be a clear understanding of what each means and how they differ.
To illustrate, a security analyst recently presented a vulnerability scan to a Board that included a vulnerability labeled by the scanning application as ‘critical’ because exploiting the vulnerability could possibly allow access to data on the host. The members of the Board were beside themselves; asking “How can such a critical risk be out there, and not be remediated immediately”? The answer is that this server hosted only a cafeteria menu, it had no critical data on it and was not part of the secure network, therefore the vulnerability threat risk was low despite the vulnerability being critical. Any vulnerability needs to be investigated to determine the level of risk associated with it
A threat is out of our control. For example, there is a constant threat that someone may try to break into my house. The threat exists and I cannot make it go away – as long as there are burglars the threat will always exist. All I can do is identify that the threat exists and then try to put defensive measures in place to thwart the efforts of the burglar, but I can’t make the threat go away.
Let’s align the two. A vulnerability is a weakness in our defensive measures so for our example, I have a threat someone may break into my house, there is vulnerability because I have a spare key under a rock. This vulnerability then causes a risk.
A risk is sort of the crossroad where a vulnerability and threat meet. If there is a threat without a vulnerability, there is little risk. If I have my house secured like Fort Knox then the threat still exists, but because there is no vulnerability, the risk that the threat will be successfully carried out is low.
One other variable is the asset. The value of the asset plays a critical role in the vulnerability threat risk, so if I had a shed full of useless junk in the backyard (asset) and I kept the key under a rock (the critical vulnerability) the risk is less than if I kept the key to the house full of valuables under the rock. While the threat and the vulnerability are the same, the value is of the asset is lower and therefore the risk is lower, because if they steal my broken lawnmower I lose far less than if they steal the millions I hide under the mattress.
Hopefully these illustrations helped to clarify the differences and will assist those fluent in risk and security to remember to provide context to drive home the meaning behind the reports we present so decisions on securing their assets can be made with full understanding of the risks and threats.