Understanding Risk in Security+
Risk, Threat, Vulnerability
If you plan to take the Security+, or even the SSCP or CISSP exams, you need to understand some basics about: risk, threat, vulnerability. Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss. It’s sometimes expressed as Risk = Threat * Vulnerability.
A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability. Threats can include natural threats such as those from hurricanes, floods, tornadoes, and earthquakes. They also include manmade threats like an attacker trying to hack into your network, or malicious software (malware) infecting your systems. In general, you can’t prevent threats, but you can reduce their impact.
A vulnerability is a flaw or a weakness. It can be a weakness in the hardware, software, configuration, or process that has the potential to be exploited. For example, if a system is not kept up to date with patches, or is not hardened from the default configuration, the system is vulnerable. Note that just because a vulnerability exists doesn’t mean it will be exploited.
When a threat and a vulnerability come together, an organization can suffer a loss.
You can’t eliminate risk. However, you can take steps to reduce it. Risk management includes the steps taken to identify as many threats and vulnerabilities as possible, and then prioritize them. High probability risks are addressed first, and low probability risks are often accepted.
Risk mitigation reduces the chances that a threat will exploit a vulnerability by implementing controls (also called countermeasures or safeguards). Senior management makes decisions on what controls to purchase, and which risks to mitigate and risk that remains is residual risk. Senior management is responsible for any losses suffered from the residual risk.
While you’ll likely be tested on the basic definition of risk, much of the rest of these exams focuses on identifying threats and vulnerabilities, and implementing different types of controls. For example, malicious software (malware) is a significant threat and if an organization doesn’t use antivirus software and keep it up to date, they are highly vulnerable.