In cybersecurity, the factors to consider are endless. Before we get ahead of ourselves, let’s make sure we fully understand three fundamental concepts of security: vulnerabilities, threats and risk.
In this article, we’ll look at these security concepts in depth and hear from industry experts for their up-to-the-minute takes.
Vulnerability vs threat vs risk
These terms are frequently used together, but they do explain three separate components of cybersecurity. In short, we can see them as a spectrum:
- First, a vulnerability exposes your organization to threats.
- A threat is a malicious or negative event that takes advantage of a vulnerability.
- Finally, the risk is the potential for loss and damage when the threat does occur.
Now let’s look in depth at each of these.
(For the latest and greatest in all things security, check out the Splunk Security Blog & these Cybersecurity and InfoSec Events & Conferences.)
What is a vulnerability?
Let’s start with vulnerabilities. A vulnerability is a weakness, flaw or other shortcoming in a system (infrastructure, database or software), but it can also exist in a process, a set of controls, or simply just the way that something has been implemented or deployed.
There are different types of vulnerabilities, we can sum them up generally as:
- Technical vulnerabilities, like bugs in code or an error in some hardware or software.
- Human vulnerabilities, such as employees falling for phishing, smishing or other common attacks.
Some vulnerabilities are routine: you release something and quickly follow up with a patch for it. The issue with the weakness is when it is unknown or undiscovered to your team. If it’s left as-is, this weakness could be vulnerable to some attack or threat. For example, a vulnerability is leaving your door unlocked overnight. It alone isn’t a problem, but if a certain person comes along and enters that door, some bad, bad things might happen.
Here, the more vulnerabilities you have, the greater potential for threats and the higher your risk. That makes sense, of course, but the sheer scale is enormous: according to UK server and domain provider Fasthosts, organizations can have thousands — even millions! — of potential vulnerabilities. Recent examples of vulnerabilities include the Microsoft Exchange vulnerabilities and the Log4j vulnerabilities, both from 2021. The CVE is a dictionary of publically disclosed vulnerabilities and exposures, a primary source of knowledge in the security field.
(Learn about the vulnerability management practice.)
What is a threat?
In cybersecurity, the most common definition of a threat is this:
Anything that could exploit a vulnerability, which could affect the confidentiality, integrity or availability of your systems, data, people and more. (Confidentiality, integrity and availability, sometimes known as the CIA triad, is another fundamental concept of cybersecurity.)
A more advanced definition of threat is when an adversary or attacker has the opportunity, capability and intent to bring a negative impact upon your operations, assets, workforce and/or customers. Examples of this can include malware, ransomware, phishing attacks and more — and the types of threats out there will continue to evolve.
Importantly, not all threats are the same, according to Bob Rudis, Vice President Data Science at GreyNoise Intelligence. And that’s where threat intelligence comes in. Rudis says:
“An attacker may have the intent and capability to do harm, but no opportunity.”
For example, your organization may have no vulnerabilities to exploit due to a solid patch management program or strong network segmentation policies that prevent access to critical systems. Chances are likely, however, that you do have vulnerabilities, so let’s consider the risk factor.
(Enable cyber threat intelligence (CTI) proactive cybersecurity.)
What is a risk?
Risk is the probability of a negative (harmful) event occurring as well as the potential of scale of that harm. Your organizational risk fluctuates over time, sometimes even on a daily basis, due to both internal and external factors.
A slightly more technical angle, the Open FAIR body of knowledge defines cyber risk as the probable frequency and probably magnitude of loss. Sounds complicated, until we break it down: “For starters,” Rudis says, "there is no ethereal risk. Something is at risk, be it a system, device, business process, bank account, your firm’s reputation or human life.”
This is where cybersecurity teams can begin to measure that risk:
- Estimate how often an adversary or attacker is likely to attempt to exploit a vulnerability to cause the desired harm.
- Gauge how well your existing systems, controls and processes can standup to those attempts.
- Determine the value of the impact or harm the adversary may cause if the adversary is indeed successful.
One way of describing risk was consequence X likelihood, but as security teams have advanced their processes and intelligence, we see that you have to also account for the safeguards you’ve already put in place.
Risk = threat x vulnerability
This is another way of looking at risk, albeit a bit simplified:
Vulnerability x Threat = Risk
We can sum up this calculation with the concepts from above: that a single vulnerability multiplied by the potential threat (frequency, existing safeguards, and potential value loss) can give you an estimate of the risk involved. In order for organizations to begin risk mitigation and risk management, you first need to understand your vulnerabilities and the threats to those vulnerabilities. This is no small task.
(Explore the 5 steps of risk management assessments.)
Real-world example
Your organization might be looking to protect all its data, likely through data encrpytion methods and other approaches. It’s incredibly expensive, so you must pare down which ones to protect the best.
You could think about the risk involved in this way: if the mechanism for protecting certain data fails in some way, you’ll have one or more vulnerabilitities. And if there is a threat actor who finds and exploits this vulnerability, the threat is realized.
Here, your risk is how valuable it would be to lose that data to the threat actor.
Risk management best practices
Part of the problem with risk is this universal truth: you cannot eliminate or entirely protect against all threats, no matter how advanced your systems. This is where the practice of risk management comes in: a routine, ongoing practice where the right personnel are regularly reviewing risks in order to minimize the potential for certain threats to occur.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.