Vulnerabilities, threats, and risks – what are they?
Cyber security is full of acronyms, jargon, and terminology which are misunderstood or misappropriated to serve agendas. The key to effective communications is ensuring everyone in a discussion is working from the same dictionary. Without a common dialect between the group, a common understanding becomes nearly impossible.
Let’s tackle these terms, what they mean, when they apply, and why each is an important part of a discussion about cyber security.
Shall we dive in?
What is a vulnerability?
A vulnerability is a weakness, or flaw, within a system.
This definition is universally applicable. Software developers can intentionally design vulnerabilities, like a “backdoor“, or shortcut, into a program which can bypass security protections. More often, a vulnerability is unintentional. An oversight or mistake when writing a program.
All vulnerabilities are not equal. The Common Vulnerability Scoring System, or CVSS, is used to score modern vulnerabilities. This ensures a consistent method of ranking and describing the severity of a vulnerability.
Vulnerability severity levels can range from low to critical. You must address critical severity vulnerabilities as soon as possible.
Remote Code Execution, or RCE, are some of the most severe vulnerabilities. An attacker can use these bugs to run their own code, or programs, on a system.
A final note on vulnerabilities. Do not ignore low or medium severity vulnerabilities. A damaging attack can come from combining multiple low severity vulnerabilities. In this situation, the “whole” is greater than the sum of the parts.
What is a threat?
A threat is the potential for a negative outcome.
Threats take many forms. From human error to natural disasters, threats can pose extreme danger to organizations.
Thankfully, a threat is only part of the equation.
Picture this scenario. An employee leaves your organization on bad terms. As such, they are a threat. They hold the potential to cause a negative outcome.
Threats that do not have any vulnerabilities to exploit may be minor. All controls, not just those in the cyber security realm, are meant to keep threats from being able to reach the vulnerabilities an organization has.
In this scenario, a firewall or multifactor authentication could serve to protect the organization from the threat of the former employee.
It is the combination of a vulnerability and a threat that creates risk.
What is a risk?
A risk is the potential impact, negative or positive, of an event occurring. It is important to remember that a risk can be positive, negative, or neutral.
Factoring in the probability of an event (the likelihood) and the impact (the financial or operational cost) is the traditional way to calculate risk.
Cyber security relies on a slightly longer formula to calculate risk.
probability x vulnerability x threat x impact
What do each of these mean?
Probability is the chance, or likelihood, of an event occurring. How often do you expect the event to occur? To define the probability, you must have data. In traditional risk management, many industries have decades of data to rely on. Consider, under normal operating conditions, how long has this equipment lasted in the past? Without concrete performance data, it is more difficult to gauge in cyber security, but it is not impossible.
A Vulnerability is the weakness or flaw in the system that presents the opportunity for the risk to be realized. Without this component, there is nothing to fail, meaning there is no risk.
Threat is the potential that someone can exploit a vulnerability. This may be a malicious actor or a well-intentioned employee. If a vulnerability is unreachable, or 100% protected, there is no risk.
Impact is the financial or operational deviation from normal, expected operations. The impact may be directly financial, or it could be reputational, regulatory, or legal. Impact in the simplest terms is the gain or loss expected from the event occurring.
Risk can be a challenging topic for discussion. By ensuring everyone is working from a common definition, you can have open, honest conversations about risk. As such, by removing Fear, Uncertainty, and Doubt (FUD) from your risk discussions, you will empower better business decisions.
You can now make better business decisions with an understanding of vulnerabilities, threats, and risks!