The Threat, Vulnerability, and Assets are known as the risk management triples. It is important to understand the relationship between these three central components: Asset, Threat, and Vulnerability. Though these technical terms are used interchangeably, they are distinct terms with different meanings and implications. Let’s take a look.

Asset –  is what we’re trying to protect.

An asset is any data, device or other component of an organization’s systems that is valuable –  People, property, and information.

• People may include employees and customers along with other invited persons such as contractors or guests.
• Property assets consist of both tangible and intangible items that can be assigned a value.  Intangible assets include reputation and proprietary information.
• Information may include databases, software code, critical company records, and many other intangible items.

Threat –  is what we’re trying to protect against.

A threat is any incident that could negatively affect an asset – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

Threats can be categorized as circumstances that compromise the confidentiality, integrity or availability of an asset, and can either be intentional or accidental.

• Intentional threats: include things such as criminal hacking (spyware, malware, adware companies) or a malicious insider stealing information.
• Accidental threats: employee error, a technical malfunction or an event that causes physical damage, such as a fire or natural disaster.
• Natural threats, such as floods, hurricanes, or tornadoes.
• Unintentional threats, like an employee mistakenly accessing the wrong information.

Vulnerability –  is a weakness or gap in our protection efforts.

A vulnerability is a weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to destroy, damage or compromise an asset. In other words, it is a known issue that allows an attack to succeed.

Relationship between assets, threats and vulnerabilities

 So, let’s see what this matching of the three components could look like – for example:

Asset: system administrator:

• • threat: frequent errors; vulnerability: lack of training (potential loss of integrity and availability)
  • threat: unavailability of this person; vulnerability: there is no replacement for this position (potential loss of availability)

Asset: paper document:

• • threat: unauthorized access; vulnerability: document is not locked in a cabinet (potential loss of confidentiality)
  • threat: fire; vulnerability: there is no backup of the document (potential loss of availability)
  • threat: fire; vulnerability: document is not stored in a fire-proof cabinet (risk related to the loss of availability of the information)

Asset: digital document:

• • threat: unauthorized access; vulnerability: the access was given to too many people (potential loss of confidentiality, integrity and availability)
  • threat: virus; vulnerability: anti-virus program is not properly updated (potential loss of confidentiality, integrity and availability)
  • threat: disk failure; vulnerability: there is no backup of the document (potential loss of availability)
  • threat: unauthorized access; vulnerability: access control scheme is not properly defined (potential loss of confidentiality, integrity and availability)

Contact Us

To understand more about our engagement in Cybersecurity Risk Management Framework & Methodology Document development, speak with us today.