Difference between vulnerability, threat, and risk

Vulnerability, threat, and risk are the most commonly used terms in cybersecurity and their understanding is very important to keep the company safe from attackers and build strong policies against them.

However, these terms are often mixed up as they are interrelated but not the same.

Vulnerability:

Vulnerabilities are the weakness present in a system or devices which may be exploited to get unauthorized access to the system. And the process of identifying, reporting, and fixing vulnerability is called vulnerability management.

Types of vulnerability:

• Hardware vulnerability: A hardware vulnerability is an attackable flaw in a computer system that allows access to the system hardware physically or remotely.
• Software vulnerability: Software flaws, glitches, or weaknesses that could provide an attacker access to a system are known as software vulnerabilities.
• Network vulnerability: Communication channels that aren’t protected, a network architecture that’s vulnerable, a lack of authentication or default authentication, or other lax network security
• Process vulnerability: A weakness present in a security operation of an organization. For example, Authentication weakness when the user uses a weak password.
• Human vulnerability: This is caused by human error which could lead to exposure of network, system, and sensitive data to malicious users.
• Physical vulnerability: Any weakness or flaw in a data system’s hosting environment that could lead to a direct physical assault on the system is referred to as physical vulnerability.

Example:

• A weakness present in a firewall could lead a malicious hacker to enter the system.
• Installing unauthorized software and apps
• Connecting personal devices to unauthorized networks.

Threat:

Vulnerability will not be a big deal if there is no threat. Threat is a malicious act that has the potential to steal, damage, or destroy the system or network. Having a good understanding of threats helps in reducing the severity and taking the right decision in cybersecurity.

Types of threat:

• Natural: fire, flood, power failure, earthquakes, etc., are not typically associated with cybersecurity but have the potential to damage your assets.
• Unintentional: Unintentional threats are mostly because of human error. For, example An company employee has discussed some confidential information in public and someone took advantage of it so, in this case, it is considered an unintentional threat as the employee had no intention to spread the information. Another example can be an employee who has forgotten to update their firewall and an intruder enters into the system.
• Intentional: When someone purposely tries to damage or destroy the system or network is called an intentional threat. Things like malicious codes, malware, phishing, etc are examples of intentional threats.

Risk:

Risk is the probability that a given threat will exploit a vulnerability present in the system or devices which can cause damage to the organization. Risk can never be removed but it can be managed to reduce its impact on the organization.

Types of risk:

• External: The risk which comes from outside the organization such as malware, malvertising, phishing, DDoS attacks, and ransomware are some of the methods that hackers use externally to gain access to your website, system, or devices.
• Internal: This type of risk is mostly because of an employee, for example, Internal data leaks, giving admin credentials to an unauthorized person, etc.