Definition of Risk, Vulnerability and Threat

There seems to be a lot of confusion by security consultants, reporters and the like what term to use to describe the whole risk, vulnerability and threat saga. This is my attempt to bring some enlightenment on the issue.

Threat is an party with the intent and capability to exploit an vulnerability in an asset. This could be an malicious hacker or an disgruntled employee.

An vulnerability is weakness in an asset that can be exploited. For an example, the security hole in Microsoft WMF (Windows Meta File) format is an vulnerability.

Risk is the probability of harmful consequences resulting from interactions between threats and vulnerable assets. Conventionally risk is expressed by the relation Risk = Severity x Likelihood.

• Severity: If asset or control gets compromised, what kind of information or access does the attacker get? Grabbing banners or list directories are rated less severe then for an example gaining administrative access to the system.
• Likelihood: How likely is it that this will happen? For an vulnerability, how easy is it to find and exploit? A published exploit or a worm using this vulnerability to spread increases the likelihood of this happening compared to a vulnerability which is hard to exploit and requires a lot of insider information. In short: How skilled must the threat be to exploit the asset?

I hope that more people in the industry would start using the right definitions, as it will look bad at us all if they don’t.

See also the Wikipedia entry on Risk and UN-ISDR: Terminology on disaster risk reduction.