Two terms that I often hear interchanged during security discussions are threat and risk. While related, they represent opposite ends of the security spectrum that people somehow continue to mix up.
Threat is best thought of as being associated with the intent, the opportunity, the ability, and the willingness to commit a malicious act. Attackers, whether planning to assault someone on the street, break into a building, or hack into a computer network begins with the intent to carry out a threat. The want something and are looking for the opportunity to take it. However, they may not possess the tools, skills, or knowledge to commit the malicious or criminal act without getting caught. They must be willing to take the chance. Of course, not every evil bad guy out there thinks these aspects of a threat through, but when the elements come together, they may attack.
Risk requires that something of value be vulnerable and exposed to the malicious act. Risk is reduced by protecting the object of value, which could be your wallet, the 65” LCD television in your living room, or the Personally Identifiable Information (PII) stored on your laptop computer. Objects of value are vulnerable to attack, and exposed to a potential threat. For example, the purse carried by a little old woman in the street is vulnerable to attack because the woman may be too weak or feeble to keep a mugger from snatching it, so the woman reduces the exposure of her purse by carrying it at her waist, tucked between both hands. Were the purse dangling from her outstretched arm, the additional exposure may present the opportunity a mugger needs to steal it.
Risk is mitigated from threat by adding layers of security to the object of value. We lock our doors to keep the casual intruder from walking in and taking our shiny new TVs. We leave our dogs in the house to deter the same intruder, and we may even turn on our alarm systems to make sure that we are alerted to attempted break-ins when away from our homes. Each security measure adds protection to inherent vulnerabilities to attack while reducing the likelihood of being attacked. Most attackers are casual, and will move on to the next opportunity to do damage if their abilities to cause harm are insufficient or their willingness to get caught is too low.
A non-scientific model of Threat and Risk can be represented like this:
In the next blog entry, I will explain Risk Mitigation and provide examples that further clarify the relationship between Threat and Risk.