Threat, vulnerability and risk are terms that are fundamental to cybersecurity. But sometimes, people confuse with their meanings. It is crucial for CIO’s and security leads in an organization to understand the relationships between threats and vulnerabilities so they can efficiently manage the impact of a data compromise and handle IT risk.
Not only should operations expenditures decrease over time, organizations should build customer confidence and possibly increase sales. This post discusses the key differences between vulnerability vs. threat vs. risk within the perspective of IT security:
• Threat is what a company is defending itself against.
• Vulnerabilities are the gaps or flaws that undermine a company’s IT security efforts. For e.g. a firewall weakness.
• Risk implies to the calculated assessment of potential threats to an organization’s security and vulnerabilities within its network and information systems.
Cyber threats refer to cybersecurity situations or events with the potential to instigate harm by way of their outcome. A few examples of common threats include:
• Malware or a phishing attack that leads to a hacker installing a trojan and stealing private data from your applications,
• Political activists DDoS-ing (distributed denial-of-service) your website,
• An admin accidentally leaving data open on a production system, leading to a data breach,
• A natural calamity like flood, damaging your ISP’s data center.
Cybersecurity threats are realized by threat actors. Threat actors usually consists of personnel or entities who may potentially instigate a threat. While natural calamities, as well as other environmental and political incidents, do constitute threats, they are not generally considered as being threat actors (this does not mean that such threats should be overlooked or given less importance). Examples of common threat actors consist of economically motivated criminals (hackers), politically influenced activists (hacktivists), competitors, negligent employees, dissatisfied employees, and nation-state hackers.
Cyber threats can also turn even more dangerous if threat actors use one or more vulnerabilities to obtain access to a system, often including the OS.
Vulnerabilities describe the weaknesses in a system. They make threat outcomes possible and possibly even more dangerous. A system can easily be exploited by a single vulnerability, for example, with a single SQL Injection attack, an attacker can gain full control over sensitive data. An attacker could also combine several exploits together, taking advantage of more than one vulnerability to cause more harm.
Few examples of common vulnerabilities include SQL Injections, server dis-configurations, sensitive data transferred in plain text, Cross-site Scripting, etc.
Risks are generally confused with threats. Nevertheless, there is a major difference between the two terms. A cybersecurity risk indicates to a combination of a threat probability and loss impact (usually in the financial terms but measuring a breach is difficult). If we were to define it mathematically, then this would translate to the following: risk = threat probability * potential loss.
Therefore, a risk is a situation that should be avoided, and this would be combined with the probable losses that would result from that scenario. Let us look at a hypothetical example of how risks can be defined:
• SQL Injection constitutes a vulnerability
• Sensitive data theft is one of the critical threats that is enabled by the SQL Injection
• Financially motivated hackers are threat actors
• The impact of sensitive data being stolen leads to significant financial loss and reputation to the business.
• The possibility of such attack is too high, especially given the fact that SQL Injection is an easy-access and widely used threat, the site faces externally
Therefore, the SQL Injection vulnerability in this use-case should be considered a high-risk vulnerability.
The difference between vulnerability and cyber threat and difference between vulnerability and risk are relatively easy to comprehend. However, the difference between a threat and a risk may be little confusing. Understanding this difference in terminology provides clear understanding between security teams and other parties, and a better knowledge of how threats influence risks. This, in turn, might help prevent and alleviate security breaches. A good understanding is also needed for efficient risk assessment and risk management, to design effective security solutions based on threat information, as well as creating an effective security policy and cybersecurity strategy.