Daniel Messiler has an interesting essay about threats, vulnerabilities, and risks that is worth a quick read.
He summarizes this way:
- A Threat is a negative scenario you want to avoid; damage or loss of an asset; a danger
- A Threat Actor (person, entity, organization, is the agent that makes a Threat happen; threats and threat actors are cause-effect related.
- A Vulnerability is a weakness that can be exploited in order to attack you; vulnerabilities may enable threats. Security weaknesses in data and communication systems are a common vulnerability.
- A Risk is a negative scenario you want to avoid, combined with its probability and its impact. Risk and threat the same? No, because a threat is deterministic whereas a risk is probabilistic.
The difference between a Threat and a Risk is that a Threat is a negative event by itself, where a Risk is the negative event combined with its probability and its impact
Like this blog? You'll like my books also! Buy them at any online book retailer!
