What is the difference between a threat, a vulnerability, and a risk?

Whether you’re talking about a website or a house, understanding proper security terms can help you better understand the safety and security of the things you are protecting. We’re going to look at the common terms used in IT security and how they are actually different from one another.

But first, we need to define a very important word that is used with them.

Asset: What you are protecting

In almost any context, an asset is a positive thing, and it often has worth. Money is an asset, for example. When you list assets and liabilities, assets are all things that have value.

In broad terms, an asset can be people, property, or information. For web security purposes, we’re referring to your website here. But it can also include your online reputation or sensitive data such as customer information or financial records.

Any sensitive information that needs to be protected is an asset.

Threat: Something that can damage or destroy an asset

If an asset is what you’re trying to protect, then a threat is what you’re trying to protect against.

Let’s use the example of home ownership to illustrate these. Your home would be your asset. A threat would be a burglar, or even the tools that a burglar might use, like a lock pick. These potential threats can do damage to your home if not protected against.

Online, let’s look at your website as the asset. A security threat to your website would be a hacker, and potentially the tools that a hacker would use, for example a piece of malicious code, like malware, that can be installed on a site. That code can infiltrate your site and install viruses or bring down your website in an attack.

Types of threats

Threats can be natural, unintentional, or intentional:

• A natural threat is one that is outside of your control and unpredictable; they’re often natural disasters and hazards such as tornadoes, floods, hurricanes, forest fires, and more.
• An unintentional threat is an act that puts your information security at risk, but it was not done maliciously. These types of threats can often be attributed to human error.
• An intentional threat is one that compromises your information system and is done purposefully by threat actors.

How to be prepared

The best way to be prepared for intentional cyber threats is to be aware of them. Keeping up to date on cyberattacks and data breaches, and how cyber criminals or hackers are accomplishing them, is important. Some of the common threats include: DDoS (distributed denial-of-service), phishing, SQL injection, man-in-the-middle (MitM), and malware.

Vulnerability: a weakness or gap in your protection

The only way a threat can do damage to your asset is if you have an unchecked vulnerability that the threat can take advantage of.

In the house example, a vulnerability could be a security system that relies on electricity. If there is no battery backup, the burglar could take down the power and then have free unauthorized access to the home. Or another vulnerability could be something as simple as an unlocked window. Anything that a burglar could take advantage of is a security vulnerability.

By that same token, your website could have vulnerabilities that hackers could take advantage of. Old code or plugins that aren’t updated or maintained can be as dangerous as leaving a door unlocked in a house. If you aren’t updating your site regularly, you could be leaving vulnerabilities wide open for hackers to walk right through.

Common vulnerabilities and management

As noted above, old code or plugins are often used by threat actors. It’s important to update your operating system and applications regularly to ensure any unpatched security vulnerabilities are removed. In addition, your IT security teams should ensure that all data is encrypted and there are no software misconfigurations or bugs.

Proactive vulnerability management is essential for cybersecurity. It’s important that your team runs vulnerability assessments and scans regularly. In addition, you should ensure your cybersecurity policy is up to standards (ISO 27001), you have a contingency plan in place, and you maintain strict access control.

Risk: where assets, threats, and vulnerabilities intersect

Risk itself is a function of threats taking advantage of vulnerabilities to steal or damage assets. In other words, Asset + Threat + Vulnerability = Risk.

Understanding these separate concepts help you understand how safe your website really is.

Threats, like hackers, may exist. But if you have no vulnerabilities, then your risk is very low.

You may have vulnerabilities on your site, but if threats don’t exist, then you still have little risk (this is not really an option, however, as hackers are very prevalent online).

Cybersecurity risk management and assessment

Ongoing risk management is essential for any organization. This process consists of regular security risk assessments (SRA) followed by the planning and implementation of risk treatment plans as needed.

An SRA is an evaluation of your organization, technology, and methodologies to ensure that there are the needed safety measures in place to help protect your assets.

Secure your enterprise

For web security, your goal is to close off any vulnerabilities so that your asset can remain safe. The best way to do this is with a SiteLock web security platform plan, which scans your site every day to detect potential vulnerabilities that it can patch and close off before the threats find them.

Another important cybersecurity measure is to ensure your site(s) have SSL certificates; see how Sectigo can help manage your enterprise’s certificate lifecycle.