In cybersecurity, the factors to consider are endless. Before we get ahead of ourselves, let’s make sure we fully understand three fundamental concepts of security: vulnerabilities, threats and risk.
In this article, we’ll look at these security concepts in depth and hear from industry experts for their up-to-the-minute takes.
Vulnerability vs threat vs risk
These terms are frequently used together, but they do explain three separate components of cybersecurity. In short, we can see them as a spectrum:
- First, a vulnerability exposes your organization to threats.
- A threat is a malicious or negative event that takes advantage of a vulnerability.
- Finally, the risk is the potential for loss and damage when the threat does occur.
Now let’s look in depth at each of these.
(Related reading:Splunk Security Blog & .)
What is a vulnerability?
Let’s start with vulnerabilities. A vulnerability is a weakness, flaw, or other shortcoming in a system (infrastructure, database, or software), but it can also exist in a process, a set of controls, or simply just the way that something has been implemented or deployed.
There are different types of vulnerabilities; we can sum them up generally as:
- Technical vulnerabilities, like bugs in code or an error in some hardware or software. in 2022, according to Positive Technologies, 72% of vulnerabilities were related to flaws in web application code.
- Human vulnerabilities, such as employees falling for phishing, smishing or other common attacks. The goal of 85% of these attacks is data theft.
Some vulnerabilities are routine: you release something and quickly follow up with a patch for it. The issue with the weakness is when it is unknown or undiscovered to your team. If left as-is, this weakness could be vulnerable to attack or threat. For example, a vulnerability is leaving your door unlocked overnight. It alone isn’t a problem, but if a certain person comes along and enters that door, some bad, bad things might happen.
Impact of vulnerability
Thus, the more vulnerabilities you have, the greater the potential for threats and the higher your risk.
But that makes sense, of course, but the sheer scale is enormous: according to UK server and domain provider Fasthosts, organizations can have thousands — even millions! — of potential vulnerabilities.
According to the Cost of a Data Breach Report 2023 by IBM, the average cost of data breaches is at an all-time high of US$ 4.45 million, a 2.2% increase compared to 2022 and a 15% increase over 3 years. The thing is that these attacks can be costly and spill over. For example, Progress software is still dealing with the fallout and recovery from the 2023 MOVEIT Transfer vulnerability; which has so far affected over 94 million users, with over US$15 billion in total damages, and still counting.
Recent examples of vulnerabilities include:
- 2024 RegreSSHion, a critical vulnerability found in OpenSSH
- 2024 Trello platform information leakage incident
- 2023 Okta support breach
- 2023 Compromised Microsoft consumer signing key
Want to know more?The CVE is a dictionary of publically disclosed vulnerabilities and exposures, a primary source of knowledge in the security field.
(Related reading:vulnerability management practice.)
What is a threat?
In cybersecurity, the most common definition of a threat is this: Anything that could exploit a vulnerability, which could affect the confidentiality, integrity or availability of your systems, data, people, and more.
(Confidentiality, integrity and availability, sometimes known as the CIA triad, is another fundamental concept of cybersecurity.)
A more advanced definition of threat is when an adversary or attacker has the opportunity, capability and intent to bring a negative impact upon your operations, assets, workforce and/or customers. Examples of this can include malware, ransomware, phishing attacks and more — and the types of threats out there will continue to evolve.
Importantly, not all threats are the same, according to Bob Rudis, Vice President Data Science at GreyNoise Intelligence. And that’s where accessing and using threat intelligence comes in. Rudis says:
“An attacker may have the intent and capability to do harm, but no opportunity.”
For example, your organization may have no vulnerabilities to exploit due to a solid patch management program or strong network segmentation policies that prevent access to critical systems. However, in the real world, chances are extremely likely that you do have vulnerabilities, so let’s consider the risk factor.
What is a risk?
Risk is the probability of a negative (harmful) event occurring as well as the potential of scale of that harm. Your organizational risk fluctuates over time, sometimes even on a daily basis, due to both internal and external factors.
A slightly more technical angle, the Open FAIR body of knowledge defines cyber risk as the probable frequency and probably magnitude of loss. Sounds complicated, until we break it down: “For starters,” Rudis says, "there is no ethereal risk. Something [tangible] is at risk, be it a system, device, business process, bank account, your firm’s reputation or human life.”
This is where cybersecurity teams can begin to measure that risk:
- Estimate how often an adversary or attacker is likely to attempt to exploit a vulnerability to cause the desired harm.
- Gauge how well your existing systems, controls and processes can standup to those attempts.
- Determine the value of the impact or harm the adversary may cause if the adversary is indeed successful.
One way of describing risk was consequence X likelihood, but as security teams have advanced their processes and intelligence, we see that you have to also account for the safeguards you’ve already put in place.
Risk = threat x vulnerability
This is another way of looking at risk, albeit a bit simplified:
Vulnerability x Threat = Risk
We can sum up this calculation with the concepts from above: that a single vulnerability multiplied by the potential threat (frequency, existing safeguards, and potential value loss) can give you an estimate of the risk involved. In order for organizations to begin risk mitigation and risk management, you first need to understand your vulnerabilities and the threats to those vulnerabilities. This is no small task.
(Related reading: cybersecurity risk management & risk management frameworks.)
Real-world example
Your organization might be looking to protect all its data, likely through data encryption methods and other approaches. But this approach is incredibly expensive, so you must pare down which ones to protect the best.
You could think about the risk involved in this way: if the mechanism for protecting certain data fails in some way, you’ll have one or more vulnerabilities. And if there is a threat actor who finds and exploits this vulnerability, the threat is realized.
Here, your risk is how valuable it would be to lose that data to the threat actor.
Risk management best practices
Part of the problem with risk is this universal truth: you cannot eliminate or entirely protect against all threats, no matter how advanced your systems are. This is where the practice of risk management comes in: a routine, ongoing practice where the right personnel are regularly reviewing risks in order to minimize the potential for certain threats to occur.
The first step to being proactive and having a risk management strategy is acknowledging that organisations can’t totally eliminate risk. Once you understand this, you can start defining your risk assessment which involves five significant steps:
Step 1. Identify risk
Evaluate your organization’s IT environment and infrastructure for vulnerabilities that could affect your operations. This will also involve:
- Determining what could go wrong.
- Defining what is normal or a standard operating procedure.
- Ensuring you adhere to regulatory compliance obligations.
(Related reading: .)
Step 2. Assess risk
Here, you focus on any potential impact this identified risk could cause on your organization, its operation, and its objectives. To determine the risk, one needs to focus more on the vulnerabilities' discoverability, exploitability, and reproducibility to understand how they could impact you fully.
Step 3. Analyze risk
Based on your results from the previous steps, you define the best measures or approaches your organization should take to mitigate risks. Depending on the impact of the risk, you could choose to:
- Accept: Here, you acknowledge the risk and do nothing about it. Usually, the impact is acceptable, and the cost of mitigating the risk is higher than the impact.
- Avoid: Here, you discontinue activities or operations that pose significant risks, especially if they outweigh the benefits.
- Transfer: Here, you share the risk with a third party either by outsourcing or purchasing cyber insurance.
- Mitigate: Here, you implement security measures and control to reduce the impact or the probability of it happening.
Step 4. Set and review risk controls
In this step, you set controls to manage and mitigate possible risks so they are eliminated or significantly reduced. Some controls include firewall configuration, passwords, multi-factor authentication, and encryption. In fact, in 2023, organizations that had control measures saved about US$1.76 million compared to organizations that didn’t.
Frameworks like NIST CSF and FAIR Framework come in handy here as well.
Step 5. Document risk
Regularly document and review any breaches that occur so you can learn from them and improve your risk assessment and control.
Don't ignore all threats
Vulnerabilities and threats are too expensive for organizations to ignore; thus, they must be your priority. So, define an effective risk management assessment while remembering that risk can’t be totally eliminated and that it is an ongoing process that needs to be constantly reviewed.