If organisations are to adequately protect their sensitive data, they need to understand the three core components of information security: threat, vulnerability and risk.
Those unfamiliar with the technicalities of information security might assume that these terms are interchangeable, but that’s not true.
In this blog, we explain the differences between them and provide examples of each.
What is an information security vulnerability?
A vulnerability is a known flaw that can be exploited to damage or compromise sensitive information.
Vulnerabilities are often associated with software flaws and the ways they can be exploited to perform tasks that they weren’t intended for. For instance, an attacker might take advantage of a vulnerability to plant malware on the organisation’s systems.
But vulnerabilities can also refer to weaknesses in physical security systems and human weaknesses.
This might be because a malicious actor can take advantage of the vulnerability to gain unauthorised access to sensitive information, or because the employee is liable to make to mistakes.
Information security vulnerability examples
Software vulnerabilities include injection flaws, cross-site scripting flaws, broken access control and misconfigurations.
Examples of physical weaknesses are broken locks that let unauthorised parties into a restricted part of your premises, and structural flaws in the building, such as a leaky pipe near a power outlet.
Other vulnerabilities include inherent human weaknesses, such as our susceptibility to phishing emails or the likelihood that we’ll misplace a sensitive file or send it to the wrong person.
- List of threats and vulnerabilities in ISO 27001
- Risk terminology: Understanding assets, threats and vulnerabilities
- ISO 27001 risk assessments: How to identify risks and vulnerabilities
What is an information security threat?
An information security threat occurs when a vulnerability is exploited, whether intentionally or accidentally.
It includes any event that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party.
Information security threat examples
There are three types of threat. The first are unintentional threats, such as an employee sending sensitive files to the wrong person or losing a hard drive.
In this instance, the vulnerability is an employees’ susceptibility to make a mistake and the threat is the event itself that causes that mistake – i.e. the act of sending sensitive files to the wrong person.
The second type of threat are natural events, which may be caused by poor weather (such as a hurricane or snowstorm) or infrastructural damage (such as a burst pipe or a fire).
Again, the vulnerability is the organisation’s premises being located somewhere that may experience bad weather or infrastructural damage, and the threat is the event related to that.
Finally, there are intentional threats, which comprises the actions of criminal hackers and malicious insiders. For example, an attacker may knock an organisation offline with a ransomware attack, and a malicious insider may misappropriate sensitive information.
What is information security risk?
An information security risk is defined as the effects of a threat exploiting a vulnerability.
Risks include financial losses, loss of privacy, reputational damage and regulatory action.
Information security risk examples
A typical example of a risk is what happens when an employee falls for a phishing scam. These are malicious emails that trick people into handing over their login credentials or downloading an attachment containing malware.
In this example, the phishing email is the threat and the employee’s susceptibility to be fooled is the vulnerability.
If they mistakenly open the attachment, the malware will be released onto their system and cause huge problems. Often, this entails attackers using spyware to monitor what the employee does on that system, thus given them access to databases and other sensitive files.
The other form of phishing involves a more direct attack. The scammer makes the employee think they are logging in to a legitimate service but are instead handing over their username and password.
These are the risks associated with phishing scams.
Another example of an information security risk are the results of a ransomware attack. In this case, the ransomware is the threat and how they plant it (often a system flaw or a phishing email) is the vulnerability.
Once infected, the organisation is locked out of its systems, with the attackers demanding a fee in exchange for the decryption key.
Given that cyber security experts warn against paying ransomware attackers, the organisation must resort to manual processes where possible, which will slow down processes and could result in deadlines not being met and contracts not being fulfilled.
Planning for vulnerabilities, threats and risks
Now you understand the differences between vulnerabilities, threats and risks, you can see that information security is comprised of an intricate set of circumstances.
You should also be able to see a logical approach to the way risk management works. If you take an asset-based approach, you start with the information or location that could be compromised and then work out the ways it could be damaged (vulnerability) and how that could occur (threat).
Once you’ve defined those, you can identify your risks.
Of course, that’s only the first part of information security risk management; there’s also the managing aspect, in which you document risks, assess and prioritise them, then implement measures to keep you protected.
This can be a labour-intensive task, but with our risk management tool, vsRisk, the hard work has been done for you.
This software package provides a simple and fast way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.
Try vsRisk today with our free 30-day trial.