Security

Understanding risk, threat, and vulnerability

IT security, like any other technical field, has its own specialized language developed to make it easier for experts to discuss the subject. It pays to understand this jargon when researching security.

IT security, like any other technical field, has its own specialized language developed to make it easier for experts to discuss the subject. It pays to understand this jargon when researching security.

---------------------------------------------------------------------------------------

A lot of security terms get used almost interchangeably in the popular tech press, even when they shouldn't. Different security jargon terms have distinct meanings, to be used in specific ways, for a reason. For example, a "risk assessment" and a "threat assessment" are two entirely different things, and each is valuable for its own reasons and applicable to solving different problems.

The three security terms "risk", "threat", and "vulnerability" will be defined and differentiated here:

Risk

The term "risk" refers to the likelihood of being targeted by a given attack, of an attack being successful, and general exposure to a given threat. A risk assessment is performed to determine the most important potential security breaches to address now, rather than later. One enumerates the most critical and most likely dangers, and evaluates their levels of risk relative to each other as a function of the interaction between the cost of a breach and the probability of that breach.

Analyzing risk can help one determine appropriate security budgeting -- for both time and money -- and prioritize security policy implementations so that the most immediate challenges can be resolved the most quickly.

Threat

The term "threat" refers to the source and means of a particular type of attack. A threat assessment is performed to determine the best approaches to securing a system against a particular threat, or class of threat. Penetration testing exercises are substantially focused on assessing threat profiles, to help one develop effective countermeasures against the types of attacks represented by a given threat. Where risk assessments focus more on analyzing the potential and tendency of one's resources to fall prey to various attacks, threat assessments focus more on analyzing the attacker's resources.

Analyzing threats can help one develop specific security policies to implement in line with policy priorities and understand the specific implementation needs for securing one's resources.

Vulnerability

The term "vulnerability" refers to the security flaws in a system that allow an attack to be successful. Vulnerability testing should be performed on an ongoing basis by the parties responsible for resolving such vulnerabilities, and helps to provide data used to identify unexpected dangers to security that need to be addressed. Such vulnerabilities are not particular to technology -- they can also apply to social factors such as individual authentication and authorization policies.

Testing for vulnerabilities is useful for maintaining ongoing security, allowing the people responsible for the security of one's resources to respond effectively to new dangers as they arise. It is also invaluable for policy and technology development, and as part of a technology selection process; selecting the right technology early on can ensure significant savings in time, money, and other business costs further down the line.

Understanding the proper use of such terms is important not only to sound like you know what you're talking about, nor even just to facilitate communication. It also helps develop and employ good policies. The specificity of technical jargon reflects the way experts have identified clear distinctions between practical realities of their fields of expertise, and can help clarify even for oneself how one should address the challenges that arise.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

23 comments
seanferd
seanferd

to be attached to an article of clarification.

blennerton
blennerton

You fortify vulnerabilities against threats to reduce risk(s).

Tony Hopkinson
Tony Hopkinson

of your vulnerables being threatened. :O Was this prompted by your fear of the chinese ?

santeewelding
santeewelding

These make up knowns that lead to unknowns we wish to make known. Cut and dried. They don't appear to lead, however, to your impetus -- the imperial, "will be defined". Must be the military experience.

apotheon
apotheon

Contrasted with buzzwords, technical jargon is developed more for discussing the needs of a field of expertise, rather than the currently popular means of filling those needs. Maybe I'll address the difference between technical jargon and buzzwords at some point, if I decide it's not obvious enough already.

apotheon
apotheon

. . . I guess that's a pretty good summary.

apotheon
apotheon

It was prompted more by the way people tend to misuse terms that have very specific meanings within a given technical context.

Shellbot
Shellbot

Not being a "security" person myself, I don't know a whole lot about the subject. I'm trying to learn more though because the way IT is going, if you don't know at min the basics..your not going to go anywhere.

santeewelding
santeewelding

Until you run into ones with the authority of experience to play hob with your set-pieces. Don't misconstrue. Your declaration was good, as a departure point.

santeewelding
santeewelding

You can't. I take up what you say in my left hand, the right occupied with greater things. If you fuss, I turn my palm and let you fall. You see, it is you who come to me. I don't come to you. You beseech. I entertain.

apotheon
apotheon

I'm glad you got some value from it.

santeewelding
santeewelding

All this long while, a question. Step through. Operative word, "until". Your head must be still spinning.

apotheon
apotheon

Until you run into ones with the authority of experience to play hob with your set-pieces. Where did this happen?

Shellbot
Shellbot

i see :) its quiet on here tonight..normaly i not on this late, but uploading my photos to TR so killing some time

Shellbot
Shellbot

I have no clue what that means Santee :) Oh and where are these "secrets".... ]:)

santeewelding
santeewelding

On TR where everyone could read this message would be inadvisable.

Shellbot
Shellbot

thats good to hear :) AH man..am I that old..calling me maam.. :(

santeewelding
santeewelding

And it had nothing to do with his underwear.

Shellbot
Shellbot

Your back in form :) All recovered now?

apotheon
apotheon

You did a great job of assigning a whole lot of intent to me without any evidence of it. Keep it up. Maybe you'll guess at the color of my underwear next.

Editor's Picks