These three fundamental cybersecurity concepts are related but have distinct meanings. Security experts define these three concepts in a variety of ways, and the terms threat and risk are sometimes used interchangeably. This article’s definitions come from paraphrasing Computer Security: Principles and Practice by William Stallings and Lawrie Brown. Each term can be thought of in reference to an asset or “something that needs to be protected.”
- A vulnerability is a flaw or weakness in an asset’s design, implementation, or operation and management that could be exploited by a threat.
- A threat is a potential for a threat agent to exploit a vulnerability.
- A risk is the potential for loss when the threat happens.
Now, let us dive into each of these concepts.
Identifying vulnerabilities is akin to answering the question, “How could harm occur?” Sometimes, a vulnerability can exist simply from an asset’s implementation or deployment. For example, a vulnerability is leaving your car unlocked in a public parking lot. Leaving the doors unlocked does not necessarily mean harm will occur, but it is an opening for someone to go through your car. Our office looks for vulnerabilities in WashU systems to catch them before bad actors can exploit them.
Identifying threats is akin to answering the question, “Who or what could cause harm?” In a broad sense, a threat is anything that could exploit a vulnerability and hinder the confidentiality, integrity, and availability of anything valuable. Threats can either be natural or human-made and accidental or deliberate. In our car example, the owner of the car did not lock their door, so a carjacker could exploit the opportunity. This means the threat is human-made and deliberate.
Once we know an asset’s vulnerabilities and threats, we can determine how much risk is posed to the asset owner. This measure is the combination of the likelihood that a threat exploits a vulnerability and the scale of harmful consequences.
Risk = (Probability that a threat occurs) * (Cost to the asset owner)
Despite the quantitative-looking nature of risk calculation, many risk analyses use qualitative ratings. This is because it can be extremely difficult to determine accurate probabilities and realistic costs, especially for intangible assets like trade secrets. The aim of risk analysis is to put risks in order of what is most urgent. This can also help the owner figure out how much effort and resources should go into protecting the asset.
Once again, let us circle back to the car example. If you drive a fancy car and keep valuables in it, then your cost is high. Also, if you park the unlocked car in a crime-laden area, then the probability that a threat occurs is also high. Combining these two factors shows your car is at elevated risk in this situation.
The problem with risk is that, no matter how advanced our systems are, we cannot eliminate all threats. This is where risk assessment and management come in: a routine, ongoing practice where our office regularly reviews risks to minimize the potential for certain threats to occur.
You can find a list of our forms – including risk assessment forms such as the IT Procurement Vendor Intake Form and Web Application Risk Assessment – at Forms | Office of Information Security. For a list of approved external websites or cloud services to store, create or transmit WashU confidential or Protected information, visit Secure Storage and Communication Services.
Stallings, W., & Brown, L. (2017). Computer security: Principles and practice (4th ed.). Pearson Education, Inc.