Risk, Threat and Vulnerability… What’s The Difference?
In today’s world many people, especially “the press” swap one security term for another when they should not. Security terminology has specific meanings to be used in specific ways and it is important that businesses and individuals both understand the difference. In this article we will take a short, basic look at three terms you must understand: “risk,” “threat,” and “vulnerability.”
What Is Risk?
“Risk” refers to the probability of:
- being targeted for attack
- the likelihood of a successful attack
- overall general exposure to the attack
A “Risk Assessment” will reveal the most severe and likley weaknesses and serve as a guide to prioritize correction of the weaknesses. It will be found that some weaknesses must be corrected immediately while others, being less obvious or potentially damaging, can be addressed later.
The potential damage one is likely to incur for each weakness is weighed against the cost of correction, time and money, and typically helps to further prioritize funds and actions.
What is Threat?
The term “threat” refers to a particular source and delivery of that source. A disgruntled ex-employee with a gun in the front office is a different threat from a disgruntled ex-employee in the parking lot. Both are serious and both are frightening but a professional threat assessment will address each separately and determine the best solution to secur against that particular threat.
Effective countermeasures can be established only after intense focus on each individual threat of class of threat.
Remember, the “risk assessment” look at the probability of attack and the probability of success of the attack whereas a “threat assessment” will focus more on analysis of the type and strength of the attack.
What is Vulnerability?
“Vulnerabily” refers to the strength and weakness of your system of defense. These strengths and weaknesses are evaluated for a pass/fail scoring against potential threats. An ongoing assessment of vulnerability helps find previously undiscovered weaknesses and provides assurance that previously high-scored defenses are still in place.
The Expertise of Crane Intelligence, Inc.
We are often called on to test the defense systems of various agencies. Our most effective report consisted of a sticky note plastered to the boss’s computer screen.
Make sure you understand how, when and why the terms discussed here are to be used. Correct usage facilitates good communication and goes a long ways in developing proper understanding which in turn helps establish good defenses.
Tracy O. Crane