Threat vs Vulnerability vs Risk: What are Differences?

With cyberattacks becoming more frequent and more complex, businesses all over the world are reassessing their cyber security posture. In many cases, their zeal for new defenses ignores some basic best practices. Chief among them? Simply understanding and agreeing on basic cyber security concepts and definitions.

Misunderstanding and misalignment on the difference between vulnerability and threat leads to weaker security. Security planning, implementation, and execution relies on clear communication around these concepts and others.

In this post, threats vs vulnerability vs risk as core concepts will be explicitly compared, defined, and contrasted to ensure that the reader can build a foundation for understanding what goes into the cyber security necessary to protect their assets.

Difference between Threat, Vulnerability and Risk

The core concepts of cybersecurity may be interrelated, but they are decidedly different. Let’s look at each of them:

Assets

Assets are defined as anything of value that the business wants to protect. This can include people, information or data, intellectual property, and physical property.

Vulnerabilities

Vulnerabilities are weaknesses within the infrastructure that is being protected. This may include weaknesses in systems design, the implementation of security or the system itself, or weakness in an operational process or environment that can be exploited by unauthorized parties.

Threats

Threats are any potential actions or events that might leverage or exploit a vulnerability and cause a business or an individual due harm.

Risks

Risks are the potential resulting loss or damages that arise from a successful exploitation of a threat.

To understand how these different concepts exist on the same spectrum, consider the example of a house and an automobile below.

House

• House: A house and its contents would correctly be characterized as assets. If the front door is left unlocked, this would be characterized as vulnerabilities. If a burglar was aware of the broken locks and intended to exploit them, then he or she would be a threat. And the chance or likelihood of the burglar breaking in and stealing jewelry, electronics, or other possessions would be the risk. In this case, the difference between vulnerability and risk should be clear.

• Car: Similarly, a car or truck would be an asset. If the window is left rolled down while the owner goes into the grocery store, that would be a vulnerability. A passerby in the parking lot that sees the downed-window and notices some coins in a cupholder would be a threat.  And the value of those coins would be the risk involved to the owner of the car if they were to be stolen. In this case the difference between risk, threat, and vulnerability should be clear.

While these analogies are illustrative, they do not quite detail the nuance involved when it comes to cyber security. Let’s start with a better understanding of vulnerabilities.

What is a Vulnerability?

A vulnerability is a weakness or defect in design, implementation, integration, operation or utilization of asset. CISA defines a vulnerability “as a set of conditions that may lead to an implicit or explicit failure of the confidentiality, integrity, or availability of an information system.”

These vulnerabilities can exist in software as bugs or code errors and in hardware as misconfigurations and design flaws. Vulnerabilities in processes and people come in the form of weak access controls, insufficient training on the difference between risk, threat, and vulnerability, and outdated or insecure workflows. Finally, these vulnerabilities can exist in infrastructure where databases, applications, hardware, and system configurations can all be open to exploitation.

Read More:

• What is Vulnerability Management?
• What is Vulnerability Management Lifecycle?

Types of Vulnerabilities

Vulnerabilities can be classified into four types.

Technical vulnerabilities

Unpatched systems and insecure configurations are types of technical vulnerabilities. So too are issues with code, issues in hardware manufacturing, and other issues in software. An example might be a software bug that exposes private customer date.

Human vulnerabilities

Human vulnerabilities like a lack of awareness or vigilance can be especially dangerous. These vulnerabilities make employees susceptible to social engineering or phishing, for example.

Process vulnerabilities

These vulnerabilities are found in gaps or inefficiencies in procedures. One example of a process vulnerability would be insufficient monitoring of access logs.

The Impact of Vulnerabilities

Even in the best of circumstances, businesses deal with hundreds or even thousands of vulnerabilities at any given time. Each vulnerability increases the likelihood of an attack, the financial and reputational repercussions of which are potentially catastrophic. Vulnerabilities can also act as entry points for various cyber threats such as ransomware attacks in hospitals, leading to millions of dollars of loss in ransom and loss of time in services.

Examples of Recent Vulnerabilities

Recent examples highlight the scale and impact of vulnerabilities:

• MOVEit Transfer vulnerability: This vulnerability exposed sensitive data and impacted a huge number of organizations.
• RegreSSHion: This vulnerability exploited flaws in SSH implementations.
• Okta support breach: Identity access management company Okta faced a massive breach in recent months.

Further details can be found in the CVE database.

Significance of Vulnerability Management

Effective vulnerability management involves regular scans and assessments to find vulnerabilities. It also includes policies and standards (like ISO 27001) that align with best practices for strong cyber security. Strict access controls should be implemented, and cyber security teams should be proactive in fortifying weaknesses before exploitation or a hack can happen.

Without qualification or caveat, any organization that does not have strong vulnerability management in place puts itself at unnecessary risk or attack in an increasingly dangerous operating environment.

What is Threat?

A threat is anything that can exploit a vulnerability and thus compromise the confidentiality integrity, availability (CIA) of an asset. Threats are potential actions that can have a negative impact on individuals, systems or organizations.

Types of Threats

Threats can be classified into three types

Intentional Threats

Intentional threats are deliberate actions meant to exploit a vulnerability. This can include malware or ransomware as well as a phishing attempt or theft of a user’s login credentials.

Unintentional Threats

As the name suggests, unintentional threats are those that come from negligence or poor training. Human errors like forgetting to update software or set a new password would qualify as unintentional threats.

Natural Threats

Natural threats are unpredictable events like a flood or earthquake. A fire that causes an evacuation of personnel and leaves the office door wide open would be a natural threat.

Evolution of Threats

The continuous evolution of cyber threats means businesses must be vigilant in their cyber security. Not all threats are created equal, and some are more dangerous than others. This evolution means that businesses must remain vigilant and have the ability to prioritize different defense strategies, depending upon threat intelligence, since an attacker may have the intent, but not an opportunity to do harm.

Common Examples of Cyber Threats

Despite the fact that the number of threats seems to be increasing exponentially, most cyber threats fall into a few specific categories.

Malware

Malware is software that is designed to disrupt systems or impact the functionality of the software itself.

DDoS Attacks

A DDoS, or “distributed denial of service” attack, overloads a network with traffic so that the network is unable to serve valid network requests from users or customers.

Phishing

A deceptive email that seeks to steal sensitive information or trick an employee into taking an adverse action is called a phishing attack.

SQL Injection Attacks

A SQL injection attack exploits vulnerabilities in a database by injecting malicious code into the database itself.

Man-in-the-Middle (MitM) Attacks

As the name implies, a Man-in-the-Middle attack is one where communications are intercepted between two points. The information is either stolen and put to use by the attacker or used to further exploit a system.

To best protect themselves against cyber-attacks, organizations must remain vigilant. This includes continuously monitoring their networks and environments and educating employees on how to recognize and report threats. Additional measures like two-factor authentication provide an added layer of security and protection.

What is Risk?

Risk is the potential impact of a threat exploiting a liability and thus leading to harm.

Risk Equation

An easy to remember risk equation is the probability and consequences of bad actors and the impact of their actions.

Risk = Likelihood of Occurrence x Potential Impact to Asset Owner

Factors Influencing Risk

A number of factors influence risk including the likelihood of exploitation and the severity of any resulting harm. Another factor that influences risk is the value (monetary, material, or competitive) of the at-risk asset.

How to Calculate Risk

Risk can be calculated using a risk equation as follows:

• Risk = (Probability that a threat occurs) * (Cost to the asset owner)

Another way of describing risk is:

• Risk = Consequence x Likelihood
• Risk = Threat x Vulnerability

In fact, this calculation can inform decisions about where to allocate resources and what vulnerabilities and threats should be addressed first.

Risk can be quantified as the probability of a threat succeeding multiplied by the value of a potential loss. An unpatched software system that could lead to a complete loss of an entire corporate data set is a massive risk. Conversely, a photocopier that still has the default password in place poses a small risk.

Risk fluctuates based on a wide range of factors. Sometimes, something in the business, like a specific investment or strategic initiative changes the company’s risk profile. Sometimes external factors, like a new interest in an industry or sector brings greater risk to a business.

Most often, a combination of internal and external characteristics combines to create risk. This is one of the primary reasons that cyber risks change so frequently.

Real-Life Example of Vulnerability vs Threats vs Risk

Consider the previously describe examples of the car in this context. Let’s look at that example now in the context of risk and its types as below:

• Asset: Your car and the valuables inside (laptop, phone, wallet).
• Vulnerability: Leaving your car doors unlocked, or a window slightly open, or a faulty car alarm system.
• Threats: Carjackers, thieves, or even a random act of vandalism.

Types of Threats:

• Intentional: A carjacker actively seeking to steal your vehicle. A thief looking for valuables inside the car.
• Unintentional: A passerby accidentally damages your vehicle while trying to get around it, a child hits your car while running through the parking lot, or a shopping cart accidentally rolling into your car.
• Natural: A hailstorm that damages the vehicle or a tree falling on your car.

Risk:

• High Risk: Parking an expensive car, unlocked, in a high-crime area with valuables in plain sight greatly elevates the risk. The probability of a threat is high, and the potential cost (loss of the car, valuables, and potential damage) is substantial.

• Low Risk: Parking a less valuable car, locked, in a secure garage, the probability of a threat is low, and the potential loss would be less costly.

• The car example highlights how the combination of vulnerabilities and threats directly impact risk.

A number of notable cyber attacks have taken place in recent years. This includes the WannaCry Ransomware attack that exploited unpatched systems in 2017. Large enterprise like SolarWinds suffered a breach of supply chain systems in 2019 and 2020. Finally, the ProxyLogon attack in 2021 targeted Microsoft Exchange servers.

Passive vs. Active Danger

One important distinction between threats and risks is that threats are active in nature while risks are passive. For example, a threat may be a person or system trying to login to a page without authorization.

Five Steps in Risk Management

Comprehensive risk management happens in five clear steps.

1. Identification	Potential issues are evaluated across IT systems and other infrastructure.
2. Assessment	The impact of vulnerabilities and threats are evaluated.
3. Analysis	Mitigation strategies like avoidance or acceptance are determined.
4. Implementation and review of controls	New measures like firewalls and encryption are implemented.
5. Documentation	Records are created and maintained to provide the foundation for cyber security. These documents are added to and improved over time.

Risk Mitigation Strategies

Strategies for risk mitigation come down to four options.

1. A risk may be accepted with the acknowledgement that mitigation is not worth the resources relative to the risk.

• A risk may be avoided by stopping the behavior or removing entirely the cause of the risk.

• A risk may be transferred through an insurance policy or outsourcing. 

• The most severe or important risks may be mitigated by implementing controls to reduce or eliminate the risk entirely.

The best ways to manage risk are straightforward and repeatable. First, it is critical to conduct regular threat assessments. Performing penetration testing and security exercises is an excellent way to not just identify vulnerabilities but gather the necessary information to determine the associated risks. Finally, frameworks including NIST CSF offer guidance for risk management.

The interconnection of vulnerabilities, threats, and risks is undeniable. While each has distinct characteristics, it is impossible to understand effective cyber security without understanding how they relate to each other. Effective risk management and the understanding of threats and vulnerabilities is the foundation of a strong security strategy.

To safeguard assets, remain compliant, and reduce risks, cyber security must be a priority. With Pathlock, companies have a reliable cyber security partner ready to offer the deep expertise and structure necessary to protect their most critical assets. Padlocks

FAQs on Threats vs Vulnerability vs Risk

What is the difference between risk, vulnerability, and threat?

A threat is an active component that can be a cause for loss or harm (Example: cyberattacks), whereas a vulnerability is a passive component that provides a threat with the opportunity to cause loss or harm (Example: weak passwords). A risk is an estimate of the probability of a threat taking action against a vulnerability and the potential harm or loss that would occur. (Example: Not having MFA to access customer data increases the risk of a breach and leads to penalties and lawsuits)

How does regularly updating systems reduce vulnerabilities?

Regular software updates help plug known vulnerabilities and, therefore, play a key role in reducing vulnerabilities and mitigating risks.

What is the relationship between threat, vulnerability, and risk?

A vulnerability is that which can be exploited by a threat. The likelihood of such an event happening and the potential damage the event can cause decides the severity of the risk.

What are some common examples of cybersecurity threats?

Phishing, malware, and DDoS attacks are examples of more common cyber security threats.

What are common types of vulnerabilities?

Gaps and inefficiencies in processes, poor systems implementation, unpatched software and weak passwords are common types of vulnerabilities.

What is risk management and why is it important?

Risk management prioritizes threats in an effort to minimize potential damage if a vulnerability is exploited.

How can organizations identify threats and risks?

Continuous monitoring in conjunction with vulnerability assessments and risk analysis are the best way to identify threats and risks.

Why is it important to train employees on cybersecurity best practices?

Training helps employees know what to look for as well as how to recognize threats. Training prevents negligent behavior and reduces the chance of an intrusion due to social engineering. Training also helps them know the difference between a threat and a vulnerability.

How can organizations manage their cyber risk?

Partnering with experts and implementing strong controls in addition to regular assessments are the best ways to manage cyber risk.

What is the CIA triad in cybersecurity?

The CIA triad in cybersecurity stands for confidentiality, integrity, and availability. These are the core goals of security.

How can vulnerability management help secure a system?

Vulnerability management secures systems by identifying and addressing weaknesses before a problem occurs. It is a proactive approach to security.

What is a zero-day vulnerability?

A zero-day vulnerability is a flaw the vendor is unaware of. This means that it is exploitable by hackers if they attack the vulnerability before it is patched.

What is the role of penetration testing in risk management?

Penetration testing identifies vulnerabilities and guides efforts to minimize or mitigate those vulnerabilities.

What is the importance of documenting risk management processes?

Documentation helps cyber security teams learn from past events and update their strategies for security in the future.

What are some cybersecurity standards and frameworks?

Standards like ISO 27001 and NIST CSF are useful for guiding a cyber security team or practice.