Every profession has its own language/vocabulary, whether it is the medical profession, law or information technology. The medical and law professions have been around for hundreds of years and have long instituted their professional vocabulary. However, IT and information security have only been around for a few decades and do not have the maturity of other professions in instituting a vocabulary.
There are several words used in our profession that have multiple meanings. I am going to focus on three words that are commonly used to describe risk. However, these words should not be interchanged as they mean different things: Risk, Threat and Vulnerability. To most people, these words are interchangeable even within the IT profession. For security professionals, though, they should not be as they have completely different meanings. Allowing these words to be interchangeable confuses our security and IT colleagues and the leaders in our organizations.
Let’s first look at Risk. According to a definition in Webster, Risk is the possibility of something bad happening. It involves uncertainty about the effects or implications of activity with respect to something that humans value, which often focus on negative, undesirable consequences. It’s the “Unknowing,” “What If” and the “Ambiguous.” The FAIR Institute, a quantitative framework that “valuates” Risk, defines it with more of a quantitative definition by placing a couple of parameters into the definition such as how often the losses are likely to happen and how much loss is likely to result. These parameters can help the security practitioner quantify the Risk. An example would be: “We have a Risk of ransomware being within our network and it could impact our systems between 3 and 9 times a year.” It does not say that it is present, but it does state that we don’t know if it is and the probability of it impacting the firm.
A Threat is defined as an expression of intention to inflict harm, injury or damage – in other words, an intent of using ransomware to inflict harm or damage to an organization. In the FAIR textbook “Measuring and Managing Information Risk,” threats are usually described as actors or communities. It is easier to think of threats linked to a group (such as a nation-state-backed crime syndicate) or natural disaster (such as a flood, earthquake or tornado). These intentions or events require the negative intent of action to be considered threats to an enterprise’s health. If there is no negative intent, then it is not a Threat.
Vulnerability is defined as the capability of being physically or emotionally wounded. Vulnerability is a condition that increases the capability of being harmed. An example is being behind in OS patching would can allow ransomware to exploit and infect machines. Because the organization is behind in its patching schedule opens the possibility of future harm but does not mean it will happen.
I recently have been studying for the CISM exam and ran across this formula that explains how these words should be used in our profession. Risk is a product of Threat and Vulnerability. The formula looks like this:
Risk = Threat * Vulnerability
The layperson and our IT teammates will often interchange these words as they describe a danger to an organization or firm. By following this formula, one can see that each element cannot be interchanged. It is up to the security practitioner to continue to educate their fellow IT professional and business colleagues on the proper use of the words.
As security practitioners, we must resist this blending and use the words correctly and gently correct our colleagues about how to use these words to describe dangerous situations. Like for the other professions, it will take decades to institute a universal vocabulary, but as IT security professionals, it is up to us to set and publicize the standard of the proper use of the words Risk, Threat and Vulnerability.