The rapid development of information and communication technologies brings with it the need to systematically address their protection. There are a number of specific technical terms in this field and we will explain some of them in turn. What is the difference between a vulnerability, a threat, a risk and an event?
But first, let’s define what an asset is, since its damage or loss will be discussed. We understand it to mean anything of value to a person, organisation, municipality or state that, if disturbed, will suffer harm or damage. Thus, an asset is not only real estate, movable property, finances, but also data, reputation, standing at work, credibility, trustworthiness, a clean criminal record, health, the GDP of a country, the quality of education, and others.
Vulnerability
This term refers to any weakness in an information asset, a weakness in an information system, in the system’s security procedures, measures or their implementation. It is a hole to which a patch must be applied through patch management. Specific problems should be maintained in a list of known vulnerabilities, which should be identified mainly through the collection of information from official sources, such as software manufacturers and suppliers, hardware, system integrators, etc. Taking human health as an asset as an example, it will limit us at work when we catch a cold. Therefore, we take an umbrella if it is going to rain. But we forget that it has holes. The clouds are the threat in this example, the umbrella is the protection mechanism and the hole in it is the vulnerability. If we patch it in time, we protect our asset (health). But if we didn’t notice it, there is still a chance to take a raincoat or even stay home and thus not expose ourselves to the threat. So there are several measures to treat the risk of catching a cold (limiting the asset).
Threat
In the case of cybersecurity, it is a deliberate attempt to gain access to an individual’s or organisation’s system. Actors are constantly refining their attack methods, evading detection and exploiting newly discovered vulnerabilities. However, they also rely on common methods that can be prepared for. In other words, a threat is the consequential possibility that any event will exploit an existing vulnerability and adversely affect cybersecurity. Its identification is done on a worst-case basis and threats are listed in a threat reference catalogue (ISO/IEC 27005:2022). It is recommended to continuously update it, taking into account the experience of past incidents. The practice divides threats into intentional, accidental, and environmental. The most well-known include malware, ransomware, phishing, social engineering, but also threats from within the organisation.
Risk
Simply put, it is a measure of the probability that some unexpected event will occur. In practice, this means a situation in which a specific threat exploits a known or unknown vulnerability with a negative impact on protected assets. The amount of risk is influenced by the degree of probability that the event will occur and the magnitude of the consequence (damage, harm) it will cause.
Event (Security Incident)
We understand it as a situation that causes or is likely to cause an unwanted disruption, loss, emergency or crisis in an organisation or system. We explain the term incident as a specific realisation of a threat, disruption or attack, usually caused by a human being. For example, a breach of security policy, hacker penetration of a system, facility breach, leakage of classified information, loss of a service card. Not every security incident needs to cause harm, for example, a person may not be hit in a shooting, a hacking attack may not succeed, running a red light may not lead to a traffic accident.
Effective defense starts with knowing the security posture of the IT environment and treating vulnerabilities. To understand the whole issue, it is therefore important to have a proper understanding of cybersecurity terminology.
