Thursday, May 05, 2005

Risk, Threat, and Vulnerability 101

In my last entry I took some heat from an anonymous poster who seems to think I invent definitions of security terms. I thought it might be helpful to reference discussions of terms like risk, threat, and vulnerability in various documents readers would recognize.

Let's start with NIST publication SP 800-30: Risk Management Guide for Information Technology Systems. In the text we read:

"Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system."

The document outlines common threats:

  • Natural Threats: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.

  • Human Threats Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).

  • Environmental Threats: Long-term power failure, pollution, chemicals, liquid leakage.


I see no mention of software weaknesses or coding problems there. So how does NIST define a vulnerability?

"Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy."

The NIST pub's threat-vulnerability pairings table makes the difference between the two terms very clear:



SP 800-30 talks about how to perform a risk assessment. Part of the process is threat identification and vulnerability identification. Sources of threat data include "history of system attack, data from intelligence agencies, NIPC, OIG, FedCIRC, and mass media," while sources of vulnerability data are "reports from prior risk assessments, any audit comments, security requirements, and security test results."

The end of SP 800-30 provides a glossary:


  • Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

  • Threat-source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

  • Threat Analysis: The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

  • Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.


For those of you Microsoft-only shops, consider their take on the problem in the The Security Risk Management Guide. Chapter 1 offers these definitions:

  • Risk: The combination of the probability of an event and its consequence. (ISO Guide 73)

  • Risk management: The process of determining an acceptable level of risk, assessing the current level of risk, taking steps to reduce risk to the acceptable level, and maintaining that level of risk.

  • Threat: A potential cause of an unwanted impact to a system or organization. (ISO 13335-1)

  • Vulnerability: Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat.


Microsoft then offers separate appendices with common threats and vulnerabilities. Their threats include catastrophic incidents, mechanical failures, malicious persons, and non-malicious persons, all with examples. Microsoft's vulnerabilities include physical, natural, hardware, software, media, communications, and human. Microsoft clearly delineates between threats and vulnerabilities by breaking out these two concepts.

I'd like to add that the comment on my earlier posting said I should look up "threat" at dictionary.com. I'd rather not think that "security professionals" use a dictionary as the source of their "professional" understanding of their terms. Still, I'll debate on those grounds. The poster wrote that dictionary.com delivers "something that is a source of danger" as its definition. Here is what that site actually says:

  1. An expression of an intention to inflict pain, injury, evil, or punishment.

  2. An indication of impending danger or harm.

  3. One that is regarded as a possible danger; a menace.


Remember what we are debating here. I am concerned that so-called "security professionals" are mixing and matching the terms "threat" and "vulnerability" and "risk" to suit their fancy.

Here's vulnerability, or actually "vulnerable":

  1. Susceptible to physical or emotional injury.

  2. Susceptible to attack: “We are vulnerable both by water and land, without either fleet or army” (Alexander Hamilton).

  3. Open to censure or criticism; assailable.

  4. Liable to succumb, as to persuasion or temptation.


You'll see both words are nouns. But -- a threat is a party, an actor, and a vulnerability is a condition, a weakness. Threats exploit vulnerabilities.

Finally, risk:

  1. The possibility of suffering harm or loss; danger.


Risk is also a noun, but it is a measure of possibility. These are three distinct terms. It is not my problem that I define them properly, in accordance with others who think clearly! I am not inventing any new terms. I'm using them correctly.

I'd like to thank Gunnar Peterson for reminding me of the NIST and Microsoft docs.

5 comments:

Anonymous said...

I just wanted to say thank you for properly educating that anon poster.
-LonerVamp

Chris Walsh said...

Richard:

Regardless of whether Microsoft, NIST, or CERT/CC use these terms as you do, I think Anonymous was (awkwardly) making a reasonable point.

That point essentially is that information security is an immature discipline that is still forming its own terminology (and taxonomy, for that matter). As the field matures, a certain terminological consensus will undoubtedly form, but for now there remains the potential for different people, each of whom is an acknowledged expert, to disagree. Indeed, some may even be sloppy, or think that others are drawing a distinction without a difference. Reacting harshly to such matters, I would argue, is neither called for nor productive, in my view.

As a final note, as Dan Geer so often points out, information security currently benefits from hybrid vigor, since the most knowledgeable in the field received their formal training in something else. I personally find it amusing that in discussing potential bad events and what we can do to manage them effectively, we who practice information security have opted to use our own terms for things which the insurance world already has perfectly good words for ("peril", "hazard"). Except for Quarterman's, I don't read any insurance blogs, but I suspect they aren't chiding us for our terminology, although I suppose by one set of criteria they might.

Anonymous said...

LOL! You guys are getting way to serious with this.

vulnerability- being a little guy in prison
threat- lots of big guys hopped up on testosterone
risk- bending over to pick up your soap in the shower

tweedledeetweedledum said...
This comment has been removed by a blog administrator.
dghnfgj said...
This comment has been removed by a blog administrator.