Consider the following two examples:
There is an office building where there are no physical security controls. There is no perimeter wall to surround the building. On entry, you do not find any identification proofs being asked. There is no baggage scanner.
An e-commerce company has around 50 computers in an office through it which it manages its back-end operations. The systems are not connected to the Internet and hence no anti-virus solutions are installed in the systems. Moreover, anyone can log in to these systems as there is no authentication (simply stated – no username, password) mechanism to log in to the systems.
What do you make of the above scenarios? I sense that you understand that in both the above situations, there is a risk to the building and the company. Let’s understand the definitions of the three most commonly used terms in information security.
Vulnerability – Weakness. In other words, the inability to withstand the effects of a hostile environment. In terms of information security, we refer to weakness from the aspect of physical security or logic, i.e. it can be hardware, software, human or physical weakness.
Now read the scenarios once again. Can you identify the vulnerabilities in these scenarios? In the first one, one of the weaknesses can be a lack of a perimeter wall. Here the perimeter wall would be called in as a countermeasure. A countermeasure is a safeguard that is put in place. Hence vulnerability can also be defined as a “lack of countermeasure”. Another weakness is that there are no identification proofs being asked which allows anyone to enter the building.
In the 2nd scenario, the lack of an antivirus solution will be considered as a vulnerability. The lack of any authentication mechanism is also a weakness.
Threat – Potential Danger of the vulnerability being exploited. In the first scenario, there is a threat of a person entering the building and attacking it. In the 2nd scenario, there can be a potential danger of the systems being exposed to viruses or encrypted via a ransomware attack. In both these cases, there is a potential danger of the weaknesses in the systems being exploited by an entity. This entity is known as the threat agent. So simply stated, the threat agent is an entity that can exploit the weaknesses in the system. A threat agent can be a person or software or a bot.
Risk – Read the above scenarios once again. What is the likelihood here that the building will be attacked or the systems will be hit with a ransomware attack? It is this probability that you calculate or guess via your experience is the risk. The risk in numerical terms will be a multiplication of threat and vulnerability as defined in many books. If the vulnerability gets exploited by a threat agent, damage may occur. Hence, the real potential damage which can happen is Risk.
Let me ask you another question. Do you think the risk would change if I give you the additional information that the office building is near a military zone and the systems have the USB ports disabled? If your answer to this is yes, it’s great. This is called the context in which you talk about Risk. A risk is not something that is calculated once and acted upon or which is common in every context or scenario. With changing scenarios and conditions and countermeasures, risk changes. Unfortunately, many organizations do not understand this fact.
You can also check out the YouTube video on this topic.