There is the need to understand the concepts of ‘VULNERABILITY, THREAT, AND RISK’ when trying to understand the nut and bolt of Cybersecurity. These three (3) concepts are fundamental but they’re often used interchangeably.
Cybersecurity, like other fields has its own lingo and it’ll bring about misunderstanding and misuse of terminologies when we carelessly use these sensitive registers.
Vulnerability, threats and risks are all distinct concepts and they convey their own meanings in their different entities.
Now let’s look at their meanings from the surface.
According to William Stalling and Lawrie Brown’s “Computer Security: Principles And Practicies.”
- A VULNERABILITY is a flaw or weakness in an asset’s design, implementation or operation and management, that could be exploited by a threat agent.
- A THREAT is the potential for a threat agent to take advantage and exploit a vulnerability.
- A RISK is the potential for loss when the threat happens i.e when a threat has been exploited.
Let’s take a deep dive into each of these.
• VULNERABILITY: This is a flaw or weakness in an asset’s (what you’re protecting) design, it’s implementation and management that could be exploited by a threat actor. This weakness or shortcoming could exist in the process or control of your asset, which could be an infrastructure, database or software. Vulnerability could exist in the implementation or deployment of this asset, thereby exposing your organization to a threat. There are several types of vulnerabilities but we can categorize them into two namely:
- Technical vulnerabilities: These are some errors in software or hardware e.g bugs in code.
- Human vulnerabilities: these are errors that occur from humans, that exposes an asset to a threat e.g an employee falling for phishing.
When vulnerabilities are unknown or undiscovered by the security team, this leaves an organization open to attack. It should be noted that, the more vulnerabilities you have, the higher the potential for threat and the larger the risk. The question behind identifying vulnerabilities is “How could harm occur?”
• THREAT: Threat and risks are the most commonly interchangeably used words. But in Cybersecurity, they are different. The most common definition of threat in Cybersecurity is “Anything that can exploit a vulnerability and affect the CIA (Confidentially, Integrity and Availability) of a system, data, information or infrastructure”. The case of a threat is when an attacker has the capability and opportunity to bring a negative effect on a software, system network or infrastructure. It should be noted that not all threats are the same. Examples of threat include: Malware, phishing etc. Identifying a threat brings us down to the question “Who or what could cause harm?”.
• RISK: Risk is the potential for loss, harm or damage when a negative event occurs. This is the scale of harm that occurs when the threat is carried out. Risk also encompasses the potential of a negative it harmful event occurring. From a more technical angle, risk is the probable frequency and magnitude of loss. When there is an attack, something is at risk, it could be a system, device, business process or even an organization’s reputation.
In simple form, we can say; Vulnerability X Threat= Risk. This means vulnerability multiplied by the potential threat can give an estimate of the risk involved.
In order to ensure risk mitigation and management process, the security team needs to understand the vulnerabilities and the threat to those vulnerabilities.
RISK MANAGEMENT
It can be difficult yo determine the possibility of a threat and its realistic cost to managing risk.
In order to ensure an efficient and effective risk management, a routine and ongoing practice must be put in place, where risks are regularly reviewed to reduce and minimize the potential for threat occurrence.