Defining something, and giving it meaning, provides us with a way to look at it with greater clarity and understanding. We explain things so we can then use them appropriately or communicate information about them to others meaningfully. When we define things for different settings or situations, that definition differentiates them so that there is less confusion. For cybersecurity, this can be very important, as there are so many different words, terms, and phrases that mean something different in another setting. These variations mean that we must ensure that everyone understands what we mean.
Some words have a stringent definition regarding cybersecurity, while others do not. In the case of the terms risk, vulnerability, and threat, this isn’t quite the case. Their definitions resemble each other in some ways but are different enough that it is crucial to take some time to define them here.
What is a Risk?
If you think of security, and cybersecurity specifically, a risk would be whether something could potentially harm your data, IT systems, or the persons that use them. The form of risk can be anything, from a criminal trying to steal data to a hurricane or a power outage. Another way to look at risk is that it is something that could harm but hasn’t yet. Risk is also not necessarily intentional, as it can come in the form of a simple mistake or misunderstanding that might lead to an adverse outcome.
When we think of risk in combination with threats and vulnerabilities, the risk is at the top, and the other two are components. In other words, a threat or a vulnerability is considered a risk, but they are not equal, and the potential for either becoming a realized problem will not be the same.
We will relate a little more about their similarities and differences below.
What is a Vulnerability?
When a person feels “vulnerable,” it means that they feel threatened by the possibility of something happening because they are in a “position” that exposes them to that threat. An example would be if someone thought they were vulnerable to getting into trouble at work because they had made a mistake or had done something wrong.
In cybersecurity, a vulnerability is wrong or not the best setup and might result in something adverse. A vulnerability example would be users that are only required to use six characters for their password on a working system. While a password requirement is undoubtedly much better than none, a six-character password is virtually useless against even a new hacker if the character minimum is further limited to just letters.
The password requirement will be ineffective if it is essential to understand here that a vulnerability exists that COULD be a problem if it isn’t dealt with properly. Still, it isn’t necessarily a threat that is likely to be realized. Other protections may be in place that reduce or eliminate the potential for a bad situation.
However, it is good policy to resolve as many of these vulnerabilities as possible BEFORE they become genuine threats. Again, we will add more to this later.
What is a Threat?
Threats are those people or things out there that could or would take advantage of (intentionally or otherwise) the vulnerabilities within your organization’s environment. A malicious actor, for instance, is a threat. Another threat might be an earthquake if your systems and people work or reside in a building that isn’t designed to withstand one.
A threat does result from a vulnerability in that without the vulnerability, that threat isn’t of concern, but a vulnerability might not automatically result in a threat occurrence. The potential is there, but your organization may have used other protections to mitigate or reduce the actual threat to an acceptable level.
A threat cannot exist without a vulnerability.
Putting them together
So let’s take another look, but let’s put them all together this time.
You have a vulnerability in your organization that relates to the fact that no one is watching to ensure that only authorized personnel can access the servers. Because you are a small company with little real data of value, this is not a threat because while the opportunity is there, no one is likely to take advantage of it. You have a vulnerability but no threat.
If the data were of greater value, say, in the case of a process or product that your competitors might want to gain access to, you have both a vulnerability and a threat: the opportunity created by the vulnerability.
One more: if the vulnerability exists, and there is a threat that might take advantage of it, but there are now locks on the doors to where your data is stored, then you have a risk, a vulnerability, and a threat. The risk is that you still have a vulnerability, even with additional protection. The threat is that you still have someone interested in taking advantage of the vulnerability if they can.
How will this Affect You?
As you can see, vulnerabilities, threats, and risks are all meaningful as individually defined items within your cybersecurity environment, but they also directly impact each other. Without a vulnerability, there is no threat or risk. Without a threat, the vulnerability will not likely become a realized risk. The two together make up the risks you must understand and work to reduce or remove from the environment.
What should you do
Taking steps to understand and assess your organizational information environment, what data you use, and how it is gathered, processed, and stored is a huge part of protecting that environment. How can you watch over it properly if you don’t know what you protect?
From that knowledge, you also gain insight into what vulnerabilities reside within and without your environment, what threats are possible or likely, and what the combined risk looks like to your company’s ability to continue doing business. This knowledge gives you the knowledge you need to protect yourself, your data, and your business better.
Northstarr Recommendations
Never let a lack of knowledge or skill work against your business. Allow our Northstarr security and IT professionals to assist you in finding your vulnerabilities, assessing any possible threats against them, and reducing the overall risk they might pose.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!