The reason these terms matter is because they are central to
mine and all security professionals understanding of how business, security,
and technology intersect.
Threats are things that you don’t want to happen. They are present in the world around us. There is a threat you may get into a car
accident on the way to work. There is
also a threat that someone may hack into a system at your office. Of course, there is also a threat a meteor
will wipe out your office. Not all
threats are credible. In other words all
decisions can’t be threat driven.
Vulnerabilities are problems which exist. The fact the breaks in your car may be out is
a vulnerability. The reality that you
don’t patch workstations and servers on a business network is vulnerability. Lastly, the fact that we only watch a small
fraction of the space surrounding earth is yet another vulnerability. Just as you can’t remove all the threats you
can’t remove all the vulnerabilities either.
Now enters risk. Risk
is the likelihood that a vulnerability will be realized. In other words will a threat take advantage
of an existing weakness? So will someone
force you to slam on your breaks thus taking advantage of the weakness in your
cars break? Or, will some worker click a
Facebook link taking advantage of the lack of patches on their system? Lastly will some meteor in the area of space
we weren’t observing smash into the earth?
So what do you do with this information? The goal of course is decision making. You look for the union of Threats, Risks, and
Vulnerabilities.
The union of these three ideas are the threats, risks and vulnerabilities information security professionals should focus on. The problem is determining which things fall into which categories and why.
No comments:
Post a Comment