One of the favorite and most preferred game of ISACA is to get us confused between the terms ‘vulnerability’ and ‘threat’ during CISA exams. Let us understand basic difference between the two so they cannot trick us anymore.
What is a Threat?
A threat is what we’re trying to protect against.Our enemy could be Earthquake, Fire, Hackers, Malware, System Failure, Criminals and many other unknown forces.
What is Vulnerability?
Vulnerability is a weakness or gap in our protection efforts. Vulnerability can be in form of weak coding, missing anti-virus, weak access control and other related factors.
What is a Risk?
Risk= Vulnerability * Threat
Risk is the product of vulnerability and threat. That is, we get a risk when our systems have a vulnerability that a given threat can attack. Thus, threats may exist, but if there are no vulnerabilities then there is no risk. Similarly, you can have vulnerability, but if you have no threat, then you have no risk.
There should be presence of both the elements (i.e. V*T) to constitute a risk.
Now, let us attempt below exercise to understand the terms more precisely:
(i) “Door is open. Please close it to avoid thieves .If they gets in, we will be robbed”
Please identify what is vulnerability ? what is threat ? and what is risk ? in above statement.
Threat: Thieves (not in our control)
Vulnerability: Open door. (can be controlled by us)
Risk: Robbery
(ii) “If antiviruses are not updated regularly, then new type of virus can destroy our data”
Please identify what is vulnerability ? what is threat ? and what is risk ? in above statement.
Threat: Virus
Vulnerability: Expired Anti-virus
Risk: Data destruction