Threat vs Vulnerability vs Risk
There is some debate in the security community surrounding the defintion of Threat, Vulnerability and Risk. ISO, IEC, NIST and ENISA all disagree, and the Information Security industry also offer various defintions. As examples, Richard Bejtlich of TAO Security, International Charter, Eleventh Alliance and Ingenta all differ in their opinions.
The one common theme is that Information Security exists to manage risk, and that risk exists as a function of at least threat and vulnerability. Lets start with the least controversial defintion, Vulnerability.
vulnerable (adjective) 1 exposed to being attacked or harmed
Vulnerabilty, the least contentious of the Information Security definitions has only a single dictionary defintion – exposure to attack. In Information Security, then, vulnerability could be defined as “a flaw or weakness in hardware, software or process that exposes a system to compromise”.
NIST SP 800-30 – Risk Management Guide for Information Technology Systems – defines a vulnerability similarly:
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
The Information Technology Security Evaluation Criteria ( ITSEC ), a standard used by a number of European Countries, defines vulnerability as:
The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved.
Threat is a more contentious definition. In the Oxford Dictionary:
threat (noun) 1 a stated intention to inflict injury, damage, or other hostile action on someone. 2 a person or thing likely to cause damage or danger. 3 the possibility of trouble or danger.
In Information Security circles, “threat” is defined variously. Usually definition 2 above is used, and thus “threat” becomes the actor – a “person or thing”. SANS in their Ethical Hacking and Penetration Testing course define “threat” simlarly, as an actor.
Both, NIST SP800-30 and the Common Criteria for Information Technology Security Evaluation (an ISO standard replacing ITSEC) differentiate between a “threat source” or “threat-agent” and a “threat”.
NIST defines “threat-source” as the interaction of an actor and motivation, and “threat” as the interaction between a “threat-source” and a vulnerability.
Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
A threat then, is either intention/motivation, an actor, a possibility of danger or a combination of a subset of those. My preferred defintion is that threat is the “interaction of actor, motivation and vulnerability”.
The European Network and Information Security Agency (ENISA) offer a broader definition encompassing that offered above:
Any circumstance or event with the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
It is important to note at this point that no source has defined “threat” as including an element of probability. Whilst it is clear, thus far, that a threat only occurs where a motivated actor co-exists with a vulnerablity, the chance of that threat leading to an event has not yet been considered.
Firstly, from the Oxford dictionary:
risk (noun) 1 a situation involving exposure to danger. 2 the possibility that something unpleasant will happen. 3 a person or thing causing a risk or regarded in relation to risk: a fire risk
According to the dictionary, Risk is either a 1. circumstance, which we earlier defined with the term “threat”, 3. an actor, which we earlier defined as a component of a “threat”, or 2. the possibility that something unpleasant will happen. SANS aside, who teach that Risk is the interaction of actor and vulnerability, defintion 2. is most common within Information Security.
ISO Guide 73 – Risk Management defines “risk” as:
The combination of the probability of an event and its consequence
ISO 13335 – Information Technology Security Techniques defines “risk” as:
The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.
So “risk” contains elements of a threatening circumstance (actor, motivation and vulnerability), probability and business impact. It is important consider semantics here – we are not considering the risk of a threat, we are considering the risk associated with a business suffering an outcome as a result of a threat.
Probability of an attack is largely affected by the specific vulnerability and the motivation of the actor, though external factors should also be applied when calculating it. For this reason it should always be considered as distinct from the “threat” itself.
Business Impact, often forgotten by technical staff conducting risk assessment or deploying counter measures, is itself also a function of several factors already considered. Outcomes are affected largely by the actor (state / industrial / criminal) and the specific vulnerability. Business impact is an primary element of risk and is usually closely correlated with it.
This article has illustrated the tensions between dictionary, government and industry definitions of well used Information Security terms. Considerable disagreement continues surrounding the defintion of “threat” and “risk”, though the use of “threat” as a circumstance, and “risk” as having elements of “impact” and “probability” are largely agreed.
Though a universally agreed set of definitions is desirable, it is also idealistic. It is perhaps most important, in the short term, that currently used defintions are at least understood by all, before embarking on an attempt at agreement.