Threat, Vulnerability and Risk
Jul 20th, 2013 by Jesper Kråkhede
Security architecture is sometimes just a number of words glued together with some pictures or to be more explicit the power of security architecture lies in the visualisation of fully defined words.
Some words that commonly need both definition and explanations are: Threat, Vulnerability and Risk.
Threat:
1. An expression of an intention to inflict pain, injury, evil, or punishment.
2. An indication of impending danger or harm.
3. One that is regarded as a possible danger; a menace.
Vulnerability:
1. Susceptible to physical or emotional injury.
2. Susceptible to attack
3. Open to censure or criticism; assailable.
Risk:
1. The possibility of suffering harm or loss; danger.
2. A factor, thing, element, or course involving uncertain danger; a hazard.
Sadly it is very common that those words are interchanged leading to misunderstandings and therefor mistakes.
In short a threat could arise if someone or something intentionally or unintentionally could harm you. A vulnerability means that a threat has a chance to succeed in inflicting harm. Calculating this chance is to calculate the risk. A risk is dependent on an identified attacker and a vulnerability. If there is a threat but no vulnerability there is no risk.
In conjunction a vulnerability analysis and a risk analysis are two different things. Finding vulnerabilities is not the same thing as calculating the possibility of it happening. The latter is a risk analysis.
Have you got it straight now? 🙂