Cyber Threats vs Vulnerabilities vs Risks

It's common for terms such as cyber threats, vulnerabilities, and risks to be conflated and confused. This post aims to define each term, highlight how they differ, and how they are related to one another.

Cyber Threats

Cyber threats, or simply threats, refer to circumstances or events with the potential to cause harm by way of their outcome. A few examples of common threats include an attacker stealing sensitive data from your applications, political activists DDoSing your website, an administrator accidentally wiping a production system, and a storm flooding your ISP's data center.

Cyber threats are actualized by threat actors. Threat actors usually refer to persons or entities who may potentially initiate a threat. While natural disasters and other environmental and political events do constitute threats, they are not generally regarded as being threat actors (this does not mean that such threats should be disregarded or given less importance).

Examples of common threat actors include financially motivated criminals (cybercriminals), politically motivated activists (hacktivists), competitors, careless employees, disgruntled employees, and nation-state attackers.

Cyber threats can also become more dangerous because of threat actors leveraging one or more vulnerabilities in a system, which is what we'll touch upon next.

Vulnerabilities

Vulnerabilities simply refer to weaknesses in a system. Vulnerabilities make threats possible and potentially even more dangerous. A system could be exploited through a single vulnerability, for example, a single SQL injection vulnerability could provide an attacker with full control over sensitive data, or, an attacker could chain several exploits together, exploiting more than one vulnerability in order to exploit a system.

Examples of common vulnerabilities are Cross-site Scripting, SQL injection, server misconfigurations, sensitive data transmitted in plain text, and using software packages with known vulnerabilities.

Risks

Risks are usually confused with threats, however, there is a nuanced difference between the two - a risk refers to the combination of a threat's probability and a threat's loss/impact (usually in monetary terms, however, it should be noted that quantifying a breach is extremely difficult). Essentially, this translates to the following:

Therefore a risk is a scenario that should be avoided, combined with the likely losses to result from that scenario. The following is a hypothetical example of how a risk can be constructed.

• SQL injection is a vulnerability.
• Sensitive data theft is (one of) the cyber threats SQL injection enables.
• Financially motivated attackers are (one of) the threat actors.
• The impact of sensitive data getting stolen will bear a significant financial cost (financial and reputational loss) to the business.
• The probability of such an attack occurring is high, given that SQL injection is an easily and widely exploited vulnerability and this site is externally facing.

Therefore, the SQL injection vulnerability in the scenario above should be treated as a high-risk vulnerability.

While the difference between a vulnerability and a cyber threat and risks is usually understood, the difference between threats and risks may be more nuanced. Understanding this difference in terminology allows for clearer communication and a better understanding of how threats influence risks. Of course, accurately quantifying a threat's potential loss is the real hard part.