Risk, Threat, or Vulnerability? How to Tell the Difference

In cybersecurity, risk is the potential for loss, damage or destruction of assets or data. Threat is a negative event, such as the exploit of a vulnerability. And a vulnerability is a weakness that exposes you to threats, and therefore increases the likelihood of a negative event. This blog picks apart risk vs. threat vs. vulnerability to help you see how they’re different—and how they’re related.

Words matter, especially in cybersecurity

Like any other industry, cybersecurity has its own vernacular. What separates security jargon from some other types is the preciseness cybersecurity professionals use within their language. To lay people or novices, these terms often blend together and even seem interchangeable. And since cybersecurity has a lot of moving parts, it’s easy for those new to vulnerability management to get them mixed up. 

Three of the most commonly confused terms are risk, threat, and vulnerability. Mixing up these terms clouds your ability to understand how the latest vulnerability management tools and technologies work, and impedes communication with other security (and non-security) professionals. The distinctions may be fundamental, but they’re also important. Here, we’ll explain what they mean and why they’re important.

Risk vs. threat vs. vulnerability

In a nutshell, risk is the potential for loss, damage or destruction of assets or data caused by a cyber threat. Threat is a process that magnifies the likelihood of a negative event, such as the exploit of a vulnerability. And a vulnerability is a weakness in your infrastructure, networks or applications that potentially exposes you to threats.  

So when a threat targets a vulnerability that exists in your IT infrastructure, network or applications, it can result in risk to your assets, data or business. 

That’s the high level. Now let’s dig a bit deeper.

What is Risk? An organization’s risk profile fluctuates depending on internal and external environmental factors. It incorporates not just the potential or probability of a negative event, but the impact that event may have on your infrastructure. And though risk can never be 100% eliminated—cybersecurity is a persistently moving target, after all—it can be managed to a level that satisfies your organization’s tolerance for risk. No matter how you deal with it, the end goal remains the same—to keep your overall risk low, manageable and known. 

Helping businesses manage cybersecurity risk is the job of vulnerability management (VM) solutions. Traditional VM tends to adopt the “everything is a risk” view, which leaves Security and IT teams scrambling to somehow prioritize and remediate an ever-increasing list of vulnerabilities, many of which don’t actually pose a real danger to the organization. This results in wasted time, money, and resources, and very often creates a rift between Security teams struggling to blindly prioritize what’s most important and IT and DevOps teams who have to remediate without context or meaningful prioritization. Ultimately, risk is not lowered and teams cannot provide comprehensive or accurate reports of their efforts. 

Risk-based vulnerability management (RBVM) flips the traditional model on its head. Instead of using arbitrary prioritization methods, organizations define their acceptable level of risk and tailor their risk prioritization accordingly based on real-time threat intelligence, advanced data science and machine learning-powered prioritization. This matures standard, inefficient, and ineffective vulnerability management into risk-based vulnerability management. A risk-based approach to vulnerability management helps isolate the organization’s top risks, eliminating the need for guesswork and wasted cycles spent chasing vulns that won’t move the needle on risk. Ultimately, RBVM helps you make real, significant strides in lowering your risk profile. 

What is a Threat? Today’s cybersecurity landscape roils with an endless stream of potential threats—from malware that plants dangerous executables in your software and ransomware that locks up your systems to specially targeted hacker attacks. All of these threats look for a way in, a vulnerability in your environment that they can exploit. Some threats, however, hold more potential for exploitation than others. The more rich, fresh data you can access and analyze about these threats, the more strategic and impactful decisions you can make regarding your vulnerability management and remediation. 

Real-time threat intelligence can enhance your current efforts to identify the vulnerabilities attackers are discussing, experimenting with or using. These bad actors write exploits that are designed to take advantage of known vulnerabilities, and threat intelligence helps you determine how an exploit is actually behaving in the wild and if there are known fixes. Details like Common Vulnerability Scoring System (CVSS) data, remediation, vulnerability velocity and volume, exploit data, fixes and patch information can all serve to improve your Security and IT response times, more accurately target your remediation efforts on high-risk vulnerabilities, and provide timely and comprehensive updates to leadership. The most advanced solutions even offer predictive modeling, helping you anticipate and annihilate future threats. 

What is a Vulnerability? Vulnerabilities are weak spots within your environment and your assets—weaknesses that open you up to potential threats and increased risk. And unfortunately, an organization can have thousands, often millions of vulnerabilities. Remediating all of them is not feasible, especially when most organizations only have the capacity to patch one out of every ten vulnerabilities. While that may sound like a losing battle, the good news is that only 2%-5% of vulnerabilities are likely to be exploited. And among those, an even smaller percentage are likely to pose an actual risk to your business, because, for instance, many of those vulnerabilities may not be actively exploited within your industry. So much for that old “everything is a risk” approach.

This is where risk-based vulnerability prioritization plays a crucial role. By giving Security and IT teams the tools and insight to hone their remediation efforts on the vulnerabilities that are most likely to be exploited (and that pose the biggest risk to your business), you will not only save time, money and cycles, but you’ll improve collaboration and help lower the organization’s overall cyber risk. Aligning teams around risk means you’ll no longer be wasting resources patching vulnerabilities that don’t pose a real threat to the organization, and instead can dedicate time to more strategic activities. (Some RBVM solutions even allow you to set meaningful remediation SLAs based on the potential risk posed by a vulnerability weighed against your organization’s risk tolerance levels.) 

Where to go from here

Understanding risk vs. threat vs. vulnerability is a good first step toward achieving a stronger, more efficient vulnerability management approach and a culture aligned around managing and lowering risk.

Just beginning your vulnerability management journey? Or interested in shifting gears to a more effective risk-based approach?  Find the resources you need at www.cisco.com/go/vulnerability-management.

This blog was originally written for Kenna Security, which has been acquired by Cisco Systems. Learn more about Cisco Vulnerability Management.