Vulnerability vs Threat vs Risk

• A vulnerability is an error, technical or human, that can be used to gain unauthorized access to a system.

• Threat refers to a malicious event that takes advantage of a vulnerability.

• Risk is the potential for loss and damage caused by a threat.

You can look at it this way: A car's breaks stop working would be the vulnerability, getting into an accident is the threat and paying for damages is the risk.

What is a vulnerability?

A vulnerability is a weakness or an error in a system that allows threat actors to gain illegitimate access to an organization's sensitive data.

There are multiple types of vulnerabilities, some of the most popular ones are:

Software vulnerability

This type of vulnerability exists within a software product and tends to occur due to:

• Programming errors, such as SQL injection.

• Design flaws like Log4Shell or not authenticating a user request.

A threat actor can exploit these vulnerabilities to install malware on a system. This can go undetected until the payload is executed, because the program functions as intended.

Configuration/Process vulnerability

Misconfigurations are often the reason why organizations are exposed to cybercriminals, even if the software and hardware have no vulnerability.

Some examples of this vulnerability are:

• Keeping default credentials.

• Improper firewall configuration.

• Giving all employees access to sensitive data.

• Failing to encrypt SPII/PII (Sensitive/Personal Identifiable Information)

Another vulnerability is having poor processes in place. In order to correct misconfigurations and mitigate risks, cyber security teams should regularly conduct internal audits and trainings.

Physical vulnerability

A physical vulnerability can be:

• A stolen device, this can either be a company asset or BYOD (Bring Your Own Device).

• Blind spots in a camera security system.

• Unauthorized access to server rooms.

In order to protect against these physical threats, organizations should enforce strict policy controls.

What is a threat?

Threat is any event that takes advantage of a vulnerability, which puts the confidentiality, integrity and availability (also known as the CIA triad) of a system at risk.

The most common reasons for a cyberattack are:

• Money.

• Extortion.

• Computing resources, like cryptocurrency mining and DDOS attacks.

Some examples of attacks are malware, ransomware, phishing and many more. While some threats are more dangerous than others, it's important to have good policies and processes in place, in order to remediate issues before they become exploited.

What is a risk?

Risk is the likelihood of a harmful event to happen and the scale of it. An organization's risk changes over time, which depends on internal or external factors.

In order to calculate the risk, you have to take into account the following:

• How often a vulnerability can be exploited by an attacker.

• How well the organization's current policies, procedures and tools help mitigate a threat.

• Gauge the value of the impact if the attack is successful.

A simple way to look at this is:

Vulnerability x Threat = Risk