(Post 3 of the 12-week Information Security Management blog series)
Vulnerabilities, threats, and risk are three critical terms to understand in order to properly protect one’s information. These are terms that are often tossed around in articles and guidance documents related to information security but are not always clearly defined. Many times, the target audiences of these articles and documents are cybersecurity professionals who know the lingo.
I believe that every business owner, manager, and even individual employee should understand them as well. This is because understanding these fundamental terms will allow organizations and individuals to more effectively plan and implement measures to protect their networks, systems, and information.
The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, has developed a set of standards and best practices that are available through their Computer Security Resource Center (CSRC) website. The NIST Special Publication (SP) 800-series documents list a great deal of information related to securing networks and network infrastructure. NIST SP 800-30 covers conducting risk assessments and, because risk is the subject of this publication, it is a fantastic resource to define these three terms.
Vulnerabilities
NIST defines a vulnerabilities as “weakness(es) in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source”. Simply put, a vulnerability is a flaw just waiting to be exploited. Vulnerabilities could be poorly coded portion of a software application that could allow an unauthorized person to gain access to a system or elevate privileges to obtain unauthorized administrative control over a system. A less technical type of vulnerability could be a flaw in the way your security system was installed that would allow an intruder the ability to enter your facility without having to pass through cameras and locked doors; a flaw such as an open window without a sensor on it.
Threats
Threats are related to vulnerabilities in the sense that threats are those things, people, or events that stand to exploit vulnerabilities and, in doing so, cause damage. NIST defines a threat as “any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service”. Additionally, because it is listed above, a threat source is defined specifically as “the intent and method targeted at the intentional exploitation of a vulnerability or the situation and method that may accidentally exploit a vulnerability”. Simply put, a threat is anything that has the potential to adversely impact your organization and a threat source is the specific formula for how and why a vulnerability would be exploited.
Threats and threat sources could really be anything from your own employees to the weather. A threat could be mechanical failure of computer equipment or even a neighboring building catching on fire. These are the events and situations that potentially stand to harm your organization.
Risk
Similar to how threats are tied to and dependent on vulnerabilities, risk is essentially the result of a formula that involves both threat sources and vulnerabilities. NIST defines risk as “a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization”. As I hope you can see, risk considers how likely it is that a threat source will exploit a vulnerability and how grave the impact from that exploitation would be.
It can be subjective, but generally high risk involves both a high likelihood that a threat source would exploit a given vulnerability and a high impact if the vulnerability were to be exploited. Similarly, low risk generally involves a low likelihood that a threat source would exploit a given vulnerability and a low impact in the event the vulnerability were to be exploited.
To properly analyze risk, it is necessary to identify potential threats and vulnerabilities, then identify how likely it is that each threat source might exploit its related vulnerability, and finally determine what the impact of that exploitation would likely be. The reward for doing this is that once risk has been identified for each threat and vulnerability, you or your organization will be much better prepared to direct resources where they are most needed.
Knowing the risks related to your information and information systems allows you to first direct your efforts towards mitigating threats and vulnerabilities that are high risk, then medium risk, and finally low risk. It even provides the information you need to make an informed decision about whether or not to simply accept the risk for a threat and vulnerability and not apply mitigations. Without this valuable information, you or your organization could easily be putting time, money, and effort into security measures that are not entirely necessary or that do not protect against more likely and more threatening exploitations.