We would love to stay in touch with you!

Enter your details to join our mailing list and we'll send you a link to exclusive content.

* indicates required
Close

Threat vs Vulnerability vs Risk

by Jago Maniscalchi  //  June 26, 2009  //  Risk Management  //  6 Comments

There is some debate in the security community surrounding the defintion of Threat, Vulnerability and Risk. ISO, IEC, NIST and ENISA all disagree, and the Information Security industry also offer various defintions. As examples, Richard Bejtlich of TAO Security, International Charter, Eleventh Alliance and Ingenta all differ in their opinions.

The one common theme is that Information Security exists to manage risk, and that risk exists as a function of at least threat and vulnerability. Lets start with the least controversial defintion, Vulnerability.

Vulnerability

vulnerable (adjective) 1 exposed to being attacked or harmed

Vulnerabilty, the least contentious of the Information Security definitions has only a single dictionary defintion – exposure to attack. In Information Security, then, vulnerability could be defined as “a flaw or weakness in hardware, software or process that exposes a system to compromise”.

NIST SP 800-30 – Risk Management Guide for Information Technology Systems – defines a vulnerability similarly:

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

The Information Technology Security Evaluation Criteria ( ITSEC ), a standard used by a number of European Countries, defines vulnerability as:

The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved.

Threat

Threat is a more contentious definition. In the Oxford Dictionary:

threat (noun) 1 a stated intention to inflict injury, damage, or other hostile action on someone. 2 a person or thing likely to cause damage or danger. 3 the possibility of trouble or danger.

In Information Security circles, “threat” is defined variously. Usually definition 2 above is used, and thus “threat” becomes the actor – a “person or thing”. SANS in their Ethical Hacking and Penetration Testing course define “threat” simlarly, as an actor.

Both, NIST SP800-30 and the Common Criteria for Information Technology Security Evaluation (an ISO standard replacing ITSEC) differentiate between a “threat source” or “threat-agent” and a “threat”.

NIST defines “threat-source” as the interaction of an actor and motivation, and “threat” as the interaction between a “threat-source” and a vulnerability.

Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

A threat then, is either intention/motivation, an actor, a possibility of danger or a combination of a subset of those. My preferred defintion is that threat is the “interaction of actor, motivation and vulnerability”.

The European Network and Information Security Agency (ENISA) offer a broader definition encompassing that offered above:

Any circumstance or event with the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

It is important to note at this point that no source has defined “threat” as including an element of probability. Whilst it is clear, thus far, that a threat only occurs where a motivated actor co-exists with a vulnerablity, the chance of that threat leading to an event has not yet been considered.

Risk

Firstly, from the Oxford dictionary:

risk (noun) 1 a situation involving exposure to danger. 2 the possibility that something unpleasant will happen. 3 a person or thing causing a risk or regarded in relation to risk: a fire risk

According to the dictionary, Risk is either a 1. circumstance, which we earlier defined with the term “threat”, 3. an actor, which we earlier defined as a component of a “threat”, or 2. the possibility that something unpleasant will happen. SANS aside, who teach that Risk is the interaction of actor and vulnerability, defintion 2. is most common within Information Security.

ISO Guide 73 – Risk Management defines “risk” as:

The combination of the probability of an event and its consequence

ISO 13335 – Information Technology Security Techniques defines “risk” as:

The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.

So “risk” contains elements of a threatening circumstance (actor, motivation and vulnerability), probability and business impact. It is important consider semantics here – we are not considering the risk of a threat, we are considering the risk associated with a business suffering an outcome as a result of a threat.

Probability of an attack is largely affected by the specific vulnerability and the motivation of the actor, though external factors should also be applied when calculating it. For this reason it should always be considered as distinct from the “threat” itself.

Business Impact, often forgotten by technical staff conducting risk assessment or deploying counter measures, is itself also a function of several factors already considered. Outcomes are affected largely by the actor (state / industrial / criminal) and the specific vulnerability. Business impact is an primary element of risk and is usually closely correlated with it.

Conclusion

This article has illustrated the tensions between dictionary, government and industry definitions of well used Information Security terms. Considerable disagreement continues surrounding the defintion of “threat” and “risk”, though the use of “threat” as a circumstance, and “risk” as having elements of “impact” and “probability” are largely agreed.

Though a universally agreed set of definitions is desirable, it is also idealistic. It is perhaps most important, in the short term, that currently used defintions are at least understood by all, before embarking on an attempt at agreement.

About the Author

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.

6 Comments on "Threat vs Vulnerability vs Risk"

  1. Kelly November 9, 2009 at 741 ·

    Thanks
    Lets keep our security people from scanning for known vulnerabilities and sending it to management as a measuremebt if risk by itself.

  2. Dave June 28, 2010 at 1029 ·

    Defining threat in terms of vulnerability has the disadvantage of dismissing threats once vulnerabilities are eliminated. The CISSP CBK defines:

    Threat: The potential danger that a vulerability may be exploited intentionally, triggered accidentally, or otherwise exercised.

    Threat Agent: A means or method used to exploit a vulnerability in a system, operation or facility.

    If one builds a fireproof structure that can withstand continuous exposure to very high temperatures for an indefinite amount of time with no damage, then it has no vulnerability to fire. But should that mean that fire is not considered a threat? If perfect armor could be developed, does that mean that IEDs are not a threat? And if a perfectly secure IT system is developed (i.e., one that is disconnected and powered down), should that mean that network attacks are not a threat?

    The three-circle diagram only makes sense if “Vulnerability (flaw, weakness)” is interpreted to mean “potential or hypothetical weakness”, not “weakness that actually exists in a specific system”.

  3. James Maniscalchi October 10, 2010 at 1108 ·

    Dave, I agree.

    When calculating risk, I always start with all possible vulnerabilities. There are a number of ways to try to enumerate them – perhaps the subject of a future article?

    If, for a particular vulnerability, there is no motivated threat actor, or there is a working counter-measure in place, then there is no threat posed to the system. In reality, of course, most counter-measures can be evaded, and there is almost always a motivated actor. There threat therefore remains, if only at a low level.

  4. shipra December 9, 2010 at 111 ·

    Thanks!

    This article helped me clear out many of my confusions.

Trackbacks for this post

  1. Digital Threat » Blog Archive » Information Security Risk Analysis
  2. Quora

Leave a Comment

comm comm comm