Generally, people think that threat, vulnerability and risk are the same, but there are some crucial differences between them:
Threat : A threat can be any form of hazard capable of destroying or stealing data, disrupting operations, or cause harm in general. Some examples of threats are Malware, phishing, data breaches, and even unethical employees etc. Any type of threat may be harmful for the organization, so; it is essential to understand threats for developing effective mitigation and making informed cyber security decisions.
Vulnerability : Vulnerability is a possible problem or a flaw in hardware, software, personnel, or procedures that can harm the organization. Threat actors can use these vulnerabilities to achieve their objectives.
Some examples of vulnerabilities are given below :
Physical vulnerabilities : Publicly exposed networking equipment is an example of Physical vulnerability.
Software vulnerabilities : buffer overflow vulnerability in a browser.
Human vulnerabilities : an employee vulnerable to phishing assaults.
Zero-day vulnerability : It is a type of vulnerability for which a remedy is not yet available.
To cope up with vulnerabilities, we have a method called Vulnerability management. It is the process of identifying, reporting and repairing vulnerabilities.
Risk : Risk is a combination of threat and vulnerability. When we combine the probability of a threat and the consequence of vulnerability, it is called a risk. Risk is the likelihood of a threat agent successfully exploiting vulnerability.
A formula to calculate risk :
Risk = likelihood of a threat * Vulnerability Impact
To control and manage the risk, we use a method called Risk management. It is a process of identifying all potential hazards, analyzing their impact, and determining the best course of action. This is an always running procedure used to examine the new threats and vulnerabilities regularly. By using this method, we can avoid or minimize risks. We can also accept or passed them to a third party according to the response chosen.
