All articles in the "Introduction to Cyber Security" series
- Cyber Security. Not What I thought
- Basics of Cyber Security Requirements
- The CIA Triad
- Introducing the ASD
- Introducing the Essential 8
- Mapping Strategies to controls
- Threats, Vulnerabilities, and Risks
- Introduction to Risk and Risk Management
- ICT Assets and Asset Registers
- Cyber Threat Awareness
- Introduction to Cyber Incident Response Plan
- Risk Management and Cyber Controls
- Risk Mitigation Plans
- Implement Security Controls
- Measuring Security
- Exploring Implementation Discrepancy
- CIRP as a Mitigation Strategy
Threats, Vulnerabilities, and Risks
A Crucial Distinction
In cybersecurity, the terms threats, vulnerabilities, and risks are often used interchangeably, but they are distinct concepts. Understanding their relationship is fundamental to building an effective security program. Also important that these concepts have a context, namely they relate to assets. Think of it as a logical chain: a threat exploits a vulnerability to create a risk.
What are They?
Threat: A threat is the actor or event with the potential to cause harm, such as a hacker, a piece of malware, or even a natural disaster like a fire. A potential danger that may exploit a vulnerability to breach security and cause harm. A threat is not an event itself, but rather the potential for an event to occur.
Example: A malicious hacker, a piece of malware, or a natural disaster like a fire are all considered threats.
Vulnerability: A weakness, flaw, or gap in a system, process, or control that a threat can exploit. Weak access controls, human error, and outdated policies are just as much vulnerabilities as a software bug.
Example: An unpatched software bug, a weak password, or a lack of employee security training are all vulnerabilities.
Risk: The potential for loss or damage when a threat exploits a vulnerability. Risk is a measure of both the likelihood of a threat occurring and the consequences or the impact becoming real.
Formula: Risk = (Likelihood of a threat event) x (Impact of that event)
risk has two components: likelihood and impact. Likelihood is the probability of a threat event occurring, while impact measures the potential damage or loss if it does. By assessing both an understand of a risk can be calculated and controls prioritised.
Laying it out for the layman
I best heard this explained in the context of how we approach home security.
Imagine a house….and what assets, threats, vulnerabilities and risks exists.
- The asset are the valuables,
- The threat is a burglar,
- The vulnerability is an unlocked window on the ground floor,
- The risk is that the burglar will enter through the unlocked window and steal valuables.
If you lock the window (address the vulnerability), the risk is mitigated. Similarly, if there are no burglars in the area (no immediate threat), there is no risk, even with an unlocked window. Cyber security is managing this relationship by reducing vulnerabilities and mitigating threats to lower the overall risk.