You are on page 1of 8

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

About Free CISSP Revision E-Book In the Media Subscribe By RSS or Email

Safexpert - software for


www.safexpert.eu/ CE-marking and risk assessment following new Machinery Directive

Home Risk Management Threat Mitigation Exploits and Malware Penetration Testing Programming Reviews

by Jago Maniscalchi // June 26, 2009 // Risk Management // 6 Comments There is some debate in the security community surrounding the defintion of Threat, Vulnerability and Risk. ISO, IEC, NIST and ENISA all disagree, and the Information Security industry also offer various defintions. As examples, Richard Bejtlich of TAO Security, International Charter, Eleventh Alliance and Ingenta all differ in their opinions. The one common theme is that Information Security exists to manage risk, and that risk exists as a function of at least threat and vulnerability. Lets start with the least controversial defintion, Vulnerability. Vulnerability vulnerable (adjective) 1 exposed to being attacked or harmed Vulnerabilty, the least contentious of the Information Security definitions has only a single dictionary defintion exposure to attack. In Information Security, then, vulnerability could be defined as a flaw or weakness in hardware, software or process that exposes a system to compromise. NIST SP 800-30 Risk Management Guide for Information Technology Systems defines a vulnerability similarly: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the systems security policy. The Information Technology Security Evaluation Criteria ( ITSEC ), a standard used by a number of European Countries, defines vulnerability as:

1 of 8

12/9/2013 11:08 AM

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved. Threat Threat is a more contentious definition. In the Oxford Dictionary: threat (noun) 1 a stated intention to inflict injury, damage, or other hostile action on someone. 2 a person or thing likely to cause damage or danger. 3 the possibility of trouble or danger. In Information Security circles, threat is defined variously. Usually definition 2 above is used, and thus threat becomes the actor a person or thing. SANS in their Ethical Hacking and Penetration Testing course define threat simlarly, as an actor. Both, NIST SP800-30 and the Common Criteria for Information Technology Security Evaluation (an ISO standard replacing ITSEC) differentiate between a threat source or threat-agent and a threat. NIST defines threat-source as the interaction of an actor and motivation, and threat as the interaction between a threat-source and a vulnerability. Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. A threat then, is either intention/motivation, an actor, a possibility of danger or a combination of a subset of those. My preferred defintion is that threat is the interaction of actor, motivation and vulnerability.

The European Network and Information Security Agency (ENISA) offer a broader definition encompassing that offered above: Any circumstance or event with the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. It is important to note at this point that no source has defined threat as including an element of probability. Whilst it is clear, thus far, that a threat only occurs where a motivated actor co-exists with a vulnerablity, the chance of that threat leading to an event has not yet been considered. Risk

2 of 8

12/9/2013 11:08 AM

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Firstly, from the Oxford dictionary: risk (noun) 1 a situation involving exposure to danger. 2 the possibility that something unpleasant will happen. 3 a person or thing causing a risk or regarded in relation to risk: a fire risk According to the dictionary, Risk is either a 1. circumstance, which we earlier defined with the term threat, 3. an actor, which we earlier defined as a component of a threat, or 2. the possibility that something unpleasant will happen. SANS aside, who teach that Risk is the interaction of actor and vulnerability, defintion 2. is most common within Information Security. ISO Guide 73 Risk Management defines risk as: The combination of the probability of an event and its consequence ISO 13335 Information Technology Security Techniques defines risk as: The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. So risk contains elements of a threatening circumstance (actor, motivation and vulnerability), probability and business impact. It is important consider semantics here we are not considering the risk of a threat, we are considering the risk associated with a business suffering an outcome as a result of a threat.

Probability of an attack is largely affected by the specific vulnerability and the motivation of the actor, though external factors should also be applied when calculating it. For this reason it should always be considered as distinct from the threat itself. Business Impact, often forgotten by technical staff conducting risk assessment or deploying counter measures, is itself also a function of several factors already considered. Outcomes are affected largely by the actor (state / industrial / criminal) and the specific vulnerability. Business impact is an primary element of risk and is usually closely correlated with it. Conclusion This article has illustrated the tensions between dictionary, government and industry definitions of well used Information Security terms. Considerable disagreement continues surrounding the defintion of threat and risk, though the use of threat as a circumstance, and risk as having elements of impact and probability are largely agreed. Though a universally agreed set of definitions is desirable, it is also idealistic. It is perhaps most important, in the short term, that currently used defintions are at least understood by all, before embarking on an attempt at agreement. About the Author

3 of 8

12/9/2013 11:08 AM

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.

6 Comments on "Threat vs Vulnerability vs Risk"

1. Kelly November 9, 2009 at 741 Thanks Lets keep our security people from scanning for known vulnerabilities and sending it to management as a measuremebt if risk by itself.

2. Dave June 28, 2010 at 1029 Defining threat in terms of vulnerability has the disadvantage of dismissing threats once vulnerabilities are eliminated. The CISSP CBK defines: Threat: The potential danger that a vulerability may be exploited intentionally, triggered accidentally, or otherwise exercised. Threat Agent: A means or method used to exploit a vulnerability in a system, operation or facility. If one builds a fireproof structure that can withstand continuous exposure to very high temperatures for an indefinite amount of time with no damage, then it has no vulnerability to fire. But should that mean that fire is not considered a threat? If perfect armor could be developed, does that mean that IEDs are not a threat? And if a perfectly secure IT system is developed (i.e., one that is disconnected and powered down), should that mean that network attacks are not a threat? The three-circle diagram only makes sense if Vulnerability (flaw, weakness) is interpreted to mean potential or hypothetical weakness, not weakness that actually exists in a specific system.

3. James Maniscalchi October 10, 2010 at 1108

4 of 8

12/9/2013 11:08 AM

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Dave, I agree. When calculating risk, I always start with all possible vulnerabilities. There are a number of ways to try to enumerate them perhaps the subject of a future article? If, for a particular vulnerability, there is no motivated threat actor, or there is a working countermeasure in place, then there is no threat posed to the system. In reality, of course, most countermeasures can be evaded, and there is almost always a motivated actor. There threat therefore remains, if only at a low level.

4. shipra December 9, 2010 at 111 Thanks! This article helped me clear out many of my confusions.

Trackbacks for this post


1. Digital Threat Blog Archive Information Security Risk Analysis 2. Quora

Leave a Comment
Name (required) Email (required) Website

5 of 8

12/9/2013 11:08 AM

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Unable to connect
Firefox can't establish a

Latest Tweets

6 of 8

12/9/2013 11:08 AM

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Follow on Twitter // Contact Us Back to top Digital Threat brings you up to the minute commentary and analysis on all aspects of digital security. Posts cover common vulnerabilities, assessments of zero day exploits, viruses, worms and threat forecasts. All that, alongside informed commentary on day-to-day security issues. Contributors to Digital Threat are drawn from all sectors of the security industry.
Recent Articles

Guessing banking PINs using statistics Phishers using e-mail attachments to evade anti-virus Anti-virus evasion 2. Using custom shellcode Anti-virus evasion 1. Choosing a payload Code 2600 documentary to explore Information Security What is your password worth? O2 apologise to 3G customers for breach
Podcasts

Digital Underground Paul Dot Com Security Justice


Reading List

Bruce Schneier Dark Reading Darknet DoxPara Research F-Secure Blog Internet Storm Center SANS Security Laboratory Security Focus Shadowserver Threatpost
Security Bloggers Network

SBN Sponsor Post Kevin Riggins Missed OWASP AppSecUSA? Videos Online Now Michael Coates Mitigating Attacks On Industrial Control Systems (ICS); The New Guide From EU Agency ENISA Dark Reading SBN Sponsor Post Kevin Riggins Sunday Circle Share of Awesome Richi Jennings This Week In Application Security News: December 2 8 Sarah Vonnegut

7 of 8

12/9/2013 11:08 AM

Threat vs Vulnerability vs Risk | Digital Threat

http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/

Symantec BugTraq

Vuln: HawtJNI CVE-2013-2035 Local Privilege Escalation Vulnerability Vuln: Jamroom Search Module 'search_string' Parameter Cross Site Scripting Vulnerability Vuln: GIMP XWD File Handling Buffer Overflow Vulnerability 2013 Digital Threat

8 of 8

12/9/2013 11:08 AM

You might also like