The Difference Between a Security Risk, Vulnerability and Threatposted by John Spacey, December 09, 2012
It's often the most basic definitions that are most easy to get wrong.
When it comes to information security there are no more important concepts than risk, threat and vulnerability.
The difference between these terms might seem obvious. Nevertheless, they are frequently misused.
When did the future switch from being a promise to a threat?A threat is something bad that might happen.
~ Chuck Palahniuk
It's as simple as that. A more complex definition wouldn't be anymore helpful.
From a security perspective the first threat that pops to mind is a security attack. However, a threat can range from innocent mistakes made by employees to natural disasters.
Vulnerability is the birthplace of innovation, creativity and change.It's common to define vulnerability as "weakness" or as an "inability to cope". Both of these definitions are completely wrong (from a security and risk management perspective).
~ Brene Brown
A better definition of vulnerability is "exposure".
If you give a presentation at a conference it might open you to criticism or even ridicule. Plenty of people have a fear of public speaking for this very reason. However, the act of giving a speech isn't a weakness it's an exposure.
Connecting a system to the internet can represent a vulnerability. For example, it exposes a system to a DDoS attack. However, connecting a system to customers via the internet isn't likely to be considered a weakness from a business perspective.
No man is worth his salt who is not ready at all times to risk his well-being, to risk his body, to risk his life, in a great cause.Risk is a chance that something unexpected will happen. It's the combination of threats and vulnerabilities:
~ Theodore Roosevelt
IT security professionals tend to think of risk as bad. They might define it as the "chance that something bad will happen".
However, from a business perspective risk can be considered a good thing. Therefore, risk management professionals treat risks as potentially positive.
Want to automate, monitor, measure and continually optimize your business? You might need BPM.|
The 90 second version of TOGAF — a popular enterprise architecture framework.|
A guide to information security including cheat sheets, best practices and checklists.|