How to Tell the Difference that Vulnerability, Threat, and Risk?

Buğra YELER
3 min readAug 3, 2021

--

What is a Vulnerability?

Vulnerabilities are weak spots within your systems, softwares or assets. Vulnerabilities make you weakness that open you up to potential threats and increased risk.

There are a lot of causes of vulnerabilities, some of these are system design, applications which are used at system and misconfiguration. Unfortunately, an organization can have thousands, often millions of vulnerabilities, but the good point is that about 2%-5% of vulnerabilities are likely to be exploited.

Finding important vulnerabilities among these vulnerabilities is to hard. This is where risk-based vulnerability prioritization plays a crucial role. By giving Security and IT teams the tools and insight to hone their remediation efforts on the vulnerabilities that are most likely to be exploited and that pose the biggest risk to your business, you will not only save time, money and cycles, but organisations improve collaboration and help lower the organization’s overall cyber risk.

What is a Threat?

Threat is any potential hazard that is likely to harm an organization, whether intentionally or unintentionally, associated with the exploitation of an existing vulnerability.

The threat can come from the internal network, internet, usb memory or CD DVD media. All of these threats look for a way in, a vulnerability in your environment that they can exploit.

However, the exploitation potential of threats may different from each other. Therefor, analyzing these threats, the more strategic and impactful decisions you can make regarding your vulnerability management and remediation.

Information should be protected from threats encountered. This sentence is expressed by “A threat is what we’re trying to protect against”.

What is Risk?

Risk is the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk can be defined as the possibility of an attacker to damage the system by exploiting a vulnerability in an asset and this sentence is expressed by “Risk is the intersection of assets, threats, and vulnerabilities”.

Risk incorporates not just the potential or probability of a negative event, but the impact that event may have on your infrastructure. Risk can never be 100% eliminated because of cybersecurity is a persistently moving target, managing to a level that satisfies your organization’s tolerance for risk is too important.

To sum up

Mixing up vulnerability, threat and risk, your ability to understand how the latest vulnerability management tools and technologies work, and impedes communication with other security professionals. The distinctions may be fundamental, but they’re also important.

Understanding risk, threat and vulnerability is a good first step toward achieving a stronger, more efficient vulnerability management approach and a culture aligned around managing and lowering risk.

Don’t forget to follow for such blogs.

--

--

Buğra YELER
Buğra YELER

Written by Buğra YELER

Security Researcher & Incident Responder

No responses yet