Let's start with NIST publication SP 800-30: Risk Management Guide for Information Technology Systems. In the text we read:
"Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system."
The document outlines common threats:
- Natural Threats: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
- Human Threats Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).
- Environmental Threats: Long-term power failure, pollution, chemicals, liquid leakage.
I see no mention of software weaknesses or coding problems there. So how does NIST define a vulnerability?
"Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy."
The NIST pub's threat-vulnerability pairings table makes the difference between the two terms very clear:
SP 800-30 talks about how to perform a risk assessment. Part of the process is threat identification and vulnerability identification. Sources of threat data include "history of system attack, data from intelligence agencies, NIPC, OIG, FedCIRC, and mass media," while sources of vulnerability data are "reports from prior risk assessments, any audit comments, security requirements, and security test results."
The end of SP 800-30 provides a glossary:
- Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
- Threat-source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
- Threat Analysis: The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.
- Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
For those of you Microsoft-only shops, consider their take on the problem in the The Security Risk Management Guide. Chapter 1 offers these definitions:
- Risk: The combination of the probability of an event and its consequence. (ISO Guide 73)
- Risk management: The process of determining an acceptable level of risk, assessing the current level of risk, taking steps to reduce risk to the acceptable level, and maintaining that level of risk.
- Threat: A potential cause of an unwanted impact to a system or organization. (ISO 13335-1)
- Vulnerability: Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat.
Microsoft then offers separate appendices with common threats and vulnerabilities. Their threats include catastrophic incidents, mechanical failures, malicious persons, and non-malicious persons, all with examples. Microsoft's vulnerabilities include physical, natural, hardware, software, media, communications, and human. Microsoft clearly delineates between threats and vulnerabilities by breaking out these two concepts.
I'd like to add that the comment on my earlier posting said I should look up "threat" at dictionary.com. I'd rather not think that "security professionals" use a dictionary as the source of their "professional" understanding of their terms. Still, I'll debate on those grounds. The poster wrote that dictionary.com delivers "something that is a source of danger" as its definition. Here is what that site actually says:
- An expression of an intention to inflict pain, injury, evil, or punishment.
- An indication of impending danger or harm.
- One that is regarded as a possible danger; a menace.
Remember what we are debating here. I am concerned that so-called "security professionals" are mixing and matching the terms "threat" and "vulnerability" and "risk" to suit their fancy.
Here's vulnerability, or actually "vulnerable":
- Susceptible to physical or emotional injury.
- Susceptible to attack: “We are vulnerable both by water and land, without either fleet or army” (Alexander Hamilton).
- Open to censure or criticism; assailable.
- Liable to succumb, as to persuasion or temptation.
You'll see both words are nouns. But -- a threat is a party, an actor, and a vulnerability is a condition, a weakness. Threats exploit vulnerabilities.
- The possibility of suffering harm or loss; danger.
Risk is also a noun, but it is a measure of possibility. These are three distinct terms. It is not my problem that I define them properly, in accordance with others who think clearly! I am not inventing any new terms. I'm using them correctly.
I'd like to thank Gunnar Peterson for reminding me of the NIST and Microsoft docs.