This week's post will focus on computer threats. This may be a good time to define the difference between a vulnerability, threat and risk as they can easily be confused:
THREAT: Can be thought of as an attack or something that exploits a vulnerability (either intentionally or unintentionally) that may results in damage or access to data or destroys an asset. A threat could be a unencrypted computer that is lost. The person who finds the PC could use one of a number of programs to access the machine without knowing the password.
VULNERABILITY: Weaknesses that can be exploited by threats to gain unauthorized access to an asset. Examples of a vulnerability could be the absence of a encryption on a laptop or a mis-configured router allowing all traffic in and out of an organization.
RISK: "Risk is a measureof the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: (i) the adverse impacts that would arise if the circumstanceor event occurs; and (ii)the likelihood of occurrence. Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation" (Guide for Conducting Risk
Assessments, 2012).
This diagram of threats, vulnerabilities and potential risks may make these terms easier to understand:
References:
Guide for Conducting Risk Assessments. (2012, September). Retrieved from National Institute for Standards and Technology Special Publication Series: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
Maniscalchi, J. (2009, June 26). Threat vs Vulnerability vs Risk. Retrieved from Digital Threat: http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/
No comments:
Post a Comment