Threat vs Vulnerability vs Risk
What the 3 little pigs can teach us about Cybersecurity
The importance and the difference in Vulnerabilities, Threats, and Risk can be summed up with the story of the 3 little pigs. Turns out, this well known fable can also help us understand this important concept in Cybersecurity.
Remember, in the early parts of your Cybersecurity journey, concepts > intricacies.
Just in case, you haven’t read the story here you go. (Albeit, another alternative ending)
In the last post, we talked about many topics of Cybersecurity Interviews, one being that of differentiating Vulnerabilities, Threats, and Risk. Today, we will go over this in detail with the help of the aforementioned children’s story.
Going with the NIST definition, the 3 concepts can be defined as follows.
Vulnerability: Weakness in an information system, or implementation that could be exploited or triggered by a threat.
Threat: Any circumstance or event with the potential to adversely impact operations, assets, or individuals, through a system via unauthorized access, destruction, disclosure, modification of information.
Risk: the level of impact on operations company assets, or individuals resulting from the potential impact of a threat and the likelihood of that threat occurring.
However, let’s look at these through the lens of the 3 little pigs to relate it to something we already know.
Vulnerability: In the story, the first 2 pigs built their houses using straw and sticks, respectively, which made their homes vulnerable to the wolf's huffing and puffing.
Said simply, the building material of straw and sticks were vulnerabilities.
Similarly, a vulnerability refers to a flaw in a system or process that can be exploited by a threat.
For example, outdated software or weak passwords with no 2FA are vulnerabilities that can be exploited by hackers to gain unauthorized access to a system.
Threat: In the story, the wolf represents the threat to the pigs' homes.
Similarly, a threat refers to any potential danger or harm to an organization's assets, such as its digital data, reputation, or physical property.
For example, cybercriminals, employee theft, or natural disasters are all potential threats that can cause harm to an organization.
Risk: In the story, the third pig built his house using bricks, which reduced the risk of the house being blown down by the wolf.
Similarly, risk refers to the likelihood and potential impact of a threat exploiting a vulnerability.
For example, the risk of a cyber attack can be the probability that an attacker will exploit a vulnerability and the potential impact of that attack on the organization.
Putting It All Together
Now let’s dig deeper here with risk.
The first pig built the house made of Straw, let’s give this a 90% risk. Even without the hindsight of 20/20, we can say with certainty that a house made of straw cannot withstand much. Whether it be the forces of nature, wear and tear, or a wolf huffing and puffing.
The second pig built their house made of sticks. Marginally better than straw, but not too much. Let’s give this a score of 50% risk. Some light rain probably would be okay, but any serious storm, or extreme weather would cause havoc on the home.
Similarly, this wasn’t enough to withstand the wolf huffing and puffing.
Now the third pig. This house was built with bricks, which reduced the risk of the house being blown down by the wolf. In the end, the wolf could not take the house down.
In conclusion, the story of the 3 little pigs provides a relatable analogy for individuals to understand the concepts of vulnerabilities, threats, and risk in cybersecurity.
Understanding the potential vulnerabilities in your own life and the threats that could exploit them can help individuals take proactive steps to reduce your risk of a cyber attack.
If you enjoyed this post, please share with a friend who would also like to learn about Cybersecurity.