Vulnerability x Threat = Risk

In order to understand risk, we must first understand the definition of threat and vulnerability. A business risk results from significant conditions, events, circumstances, actions, or inactions that could adversely affect your company’s ability to achieve its objectives and execute strategies. Risk is a condition that results when vulnerabilities and threats act upon critical assets.

In information security, we like to use the formula “Vulnerability x Threat = Risk” to demonstrate this. So, what is threat and vulnerability?

What is Threat?

A threat is a potential event that could take advantage of your protected asset’s flaws and result in the loss of your security’s confidentiality, integrity, and/or availability (C-I-A). Threats result in non-desirable performance of critical assets. There’s always a potential flaw that could be exposed, and when a threat is identified, think about the way it could affect the pillars of security: integrity, availability, and confidentiality.

Think about this scenario: Your organization is storing a box of hard-copy, paper patient records. The sprinklers in your building go off, and the records are soaked. You have to hire a company to come in and dry out the records and restore them to a readable state. What security losses have you had? Availability, but also the loss of integrity because the data is lost. It hasn’t been stolen, so there’s no loss of confidentiality, but the data is not usable because of water damage. We can’t have the full pillars of security if we can’t use the asset for the purpose it was intended.

Next, let’s think about the three types of threats:

  • What are the natural threats? This could be anything like floods, earthquakes, or hurricanes.
  • What are man-made threats to the assets we’re trying to protect? Man-made threats are categorized as intentional, deliberate, or accidental.
  • What about environmental threats? Could your asset be affected by environmental threat such as power failure, pollution, chemical damage, or water damage?

What is Vulnerability?

A vulnerability is a known or unknown flaw or weakness in an asset that could result in the loss of the asset’s integrity, availability, and/or confidentiality. An internal vulnerability could be a lack of security awareness training or no documentation for a critical process. Let’s go back to our paper records scenario. The flaws would be the fact that the print can fade over time, so it could be unusable in the future, or the fact that it has a finite location, so if it’s ever lost, that information is gone.

Threat identification and vulnerability identification are both part integral parts of a risk assessment. Once you’ve identified your threats and vulnerabilities, you’ll be able to determine how to mitigate the negative impact of potential threats and vulnerabilities. Controls that you put into place should be based on an assessment of risk. For more details on how to complete a formally documented risk assessment, download our free Risk Assessment Guide.

What is threat? A threat is a potential source to exercise, accidentally or intentionally, a specific vulnerability. What is a vulnerability? A vulnerability is a flaw or weakness in the system security procedures, design, implementation, or other controls that could be accidentally or intentionally exploited.