Evaluating risks, threats, and vulnerabilities

- When developing security strategies, it is important to understand the following terms: Assets, Risks, Threats, and Vulnerabilities. Organizations seek to develop and employ good security practices to protect assets, which are tangible and intangible items that can be assigned a value. Tangible assets include anything you can touch, such as printers or computers. Intangible assets include trade secrets, databases, and company records.

Risk is a chance that something unexpected will happen and is a combination of threats and vulnerabilites according to a formula: Risk equals threats times vulnerabilities. Therefore, in order to understand the risk to assets, possible threats and vulnerabilities must be evaluated. Risk analysis is important for budgeting for security. Manage risk by evaluating and prioritizing and address the most immediate challenges first.

Risk is a function of a threat exploiting a vulnerability. Threats may exist, but if there is not a vulnerability, there will be no risk. Correspondingly, if there is a vulnerability but no threat, then there won't be a risk. Risks include business disruption, financial loss, or even loss of life. A threat, anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

A threat is something that might happen, and can range from innocent mistakes by employees to natural disasters, which in general are difficult to control. Threats include disgruntled employees, terrorists, or nature. A vulnerability is a security flaw in a system that can be exploited by threats to gain unauthorized access to an asset. Connecting a system to the Internet can represent a vulnerability if the system is unpatched.

Vulnerabilities include unpatched systems, human error, or software flaws. Many online lists are available to see vulnerabilities such as US-CERT, which is United States Computer Emergency Readiness Team. Here, we can see an alert. If we wanted to see some more examples, go to African Cyber Risk Institute. Here, we can see examples of risks, threats, and vulnerabilities.

Let's use an example of a story of the Three Little Pigs. With the Three Little Pigs, the first little pig built a house of straw, but the wolf blows it down and eats him. The second little pig builds a house of sticks, but the wolf also blows him down and eats him. The third little pig built a house of bricks, which the wolf cannot blow down. The wolf is going to say in every case, "I'll huff and "puff and blow your house down." So we'll take a look at this and the Three Little Pigs, a risk analysis.

You can see in all three scenarios, the threat is 100%. He is going to huff and puff and try to blow the house down. But over on the vulnerability, this is where the range and the change takes place. The straw house is a 90% vulnerability that it's going to be blown down. The stick house, 40%, and the brick house has 0% vulnerability, so we can see that the risk of the brick house is at 0%. So the moral of the story, in most cases, a vulnerability can be fixed, so test and address vulnerabilities on an ongoing basis.