The Elements of Security: Vulnerability, Threat, Risk

Read section 1.3. When you are new to the information security industry, you may use the words vulnerability, threat, and risk interchangeably, though they actually have very different meanings. As you read, think about the differences between these terms and try to explain each term in the context of information security.

  • It is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.
  • Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.
  • E.g.: a service running on a server, unpatched applications or operating system software, unrestricted modem dial – in access, an open port on a firewall, lack of physical security etc.

  • Any potential danger to information or systems.
  • A threat is a possibility that someone (person, s/w) would identify and exploit the vulnerability.
  • The entity that takes advantage of vulnerability is referred to as a threat agent. E.g.: A threat agent could be an intruder accessing the network through a port on the firewall.

  • Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact.
  • Reducing vulnerability and/or threat reduces the risk.
  • E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.

  • An exposure is an instance of being exposed to losses from a threat agent.
  • Vulnerability exposes an organization to possible damages.
  • E.g.:If password management is weak and password rules are not enforced, the company is exposed to the possibility of having users' passwords captured and used in an unauthorized manner.

Countermeasure or Safeguard
  • It is an application or a s/w configuration or h/w or a procedure that mitigates the risk.
  • E.g.: strong password management, a security guard, access control mechanisms within an operating system, the implementation of basic input/output system (BIOS) passwords, and security – awareness training.

The Relation Between the Security Elements
  • Example: If a company has antivirus software but does not keep the virus signatures up – to – date, this is vulnerability. The company is vulnerable to virus attacks.
  • The threat is that a virus will show up in the environment and disrupt productivity.
  • The likelihood of a virus showing up in the environment and causing damage is the risk.
  • If a virus infiltrates the company's environment, then vulnerability has been exploited and the company is exposed to loss.
  • The countermeasures in this situation are to update the signatures and install the antivirus software on all computers.

Threat Agent gives rise to Threat exploits Vulnerability leads to Risk can damage Assets and causes an Exposure can be counter measured by Safeguard directly effects Threat Agent.

Alternative Description:
A threat agent causes the realisation of a threat by exploiting a vulnerability. The measurement of the extent that this exploitation causes damage is the exposure. The organisational loss created within the exposure is the impact. Risk is the probability that a threat event will generate loss and be realised within the organisation.

  • Target: A bank contains money.
  • Threat: There are individuals who want, or need, additional money.
  • Vulnerability: The bank uses software that has a security flaw.
  • Exposure: 20% of the bank's assets are affected by this flaw.
  • Exploit: By running a small snippet of code (malware), the software can be accessed illegally.
  • Threat Agent: There are hackers who have learned how to use this malware to control the bank's software.
  • Exploitation: The hackers access the software using the malware and steal money.
  • Impact: The bank loses monetary assets, reputation, and future business.
  • Risk: The likelihood that a hacker will exploit the bank's software vulnerability and impact the bank's reputation and monetary resources.

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Last modified: Thursday, April 15, 2021, 2:01 PM