Vulnerability vs Threat vs Risk Re-visited
How do we differentiate Vulnerabilities, Threats, and Risk in Cybersecurity?
The importance and the difference in Vulnerabilities, Threats, and Risk can be summed up with the story of the 3 little pigs.
Hear me out… turns out, this well known fable can also help us understand this important concept in Cybersecurity.
Remember, in the early parts of your Cybersecurity journey, concepts > details.
Just in case, you haven’t read the story here you go. (Albeit, another alternative ending)
In a previous post, we talked about many topics around Cybersecurity Interviews, one being of differentiating Vulnerabilities, Threats, and Risk, as this can be a topic that comes up.
Today, we will go over this in detail with the help of the aforementioned children’s story.
Going with the NIST definition, the 3 concepts can be defined as follows.
Vulnerability: Weakness in an information system, or implementation that could be exploited or triggered by a threat.
Threat: Any circumstance or event with the potential to adversely impact operations, assets, or individuals, via unauthorized access, destruction, disclosure, modification of information.
Risk: the level of impact on operations company assets, or individuals resulting from the potential impact of a threat and the likelihood of that threat occurring.
However, let’s look at these through the lens of the 3 little pigs to relate it to something we already know.
Vulnerability: In the story, the first 2 pigs built their houses using straw and sticks, respectively, which made their homes vulnerable to the wolf's huffing and puffing.
In other words, the building material of straw and sticks were vulnerabilities.
Therefore, a vulnerability refers to a flaw in a system or process that can be exploited by a threat.
For example, outdated software or weak passwords with no 2FA are vulnerabilities (misconfigurations) that can be exploited by hackers to gain unauthorized access to a system.
Threat: In the story, the wolf represents the threat to the pigs' homes.
Similarly, a threat refers to any potential danger or harm to an organization's assets, such as its digital data, reputation, or assets.
For example, cybercriminals, employee theft, or natural disasters are all potential threats that can cause harm to an organization.
Risk: In the story, the third pig built his house using bricks, which reduced the risk of the house being blown down by the wolf.
Similarly, risk refers to the likelihood and potential impact of a threat exploiting a vulnerability.
For example, the risk of a cyber attack can be the probability that an attacker will exploit a vulnerability and the potential impact of that attack on the organization.
Putting It All Together
Now let’s dig deeper here in terms of risk.
The first pig built the house made of Straw, let’s give this a 90% risk.
Even without the hindsight of 20/20, we can say with certainty that a house made of straw cannot withstand much. Whether it be the forces of nature in the form of heavy rain, wind, wear and tear, or a wolf huffing and puffing.
The second pig built their house made of sticks. Marginally better than straw, but not by much. Let’s give this a score of 60% risk. Some light rain probably would be okay, but any serious storm, or extreme weather would cause havoc on the home.
Similarly, in the story this wasn’t enough to withstand the wolf huffing and puffing.
Now the third pig. This house was built with bricks, when it comes to adverse whether this tends to hold up well (also fire-resistant). This strategy reduced the risk of the house being blown down by the wolf. In the end, the wolf could not take the house down.
In conclusion, the story of the 3 little pigs provides a relatable analogy for individuals to understand the concepts of vulnerabilities, threats, and risk in cybersecurity and tying it all together.
Understanding the potential vulnerabilities in your own life and the threats that could exploit them can help in taking proactive steps to reduce your risk of a cyber attack.
In an upcoming post, we’ll take a real world example to apply the concept of the Vulnerabilities, Threats, and Risk.