As more and more people talk about security, I hear the terms threat, vulnerability, mitigation and risk used. Often in what I believe is the wrong context.
There are lots of attempts to define the terms, write taxonomies etc. There is little point in duplicating this, however, here is how I think about the terms…
|Threat||Someone could steal my laptop.|
|Threat Actor||A random chancer in this example. Other examples could be someone specifically targeting my laptop (which alters the likelihood and threat intelligence))|
|Incident||A random chancer steals my laptop.|
|Threat Intelligence||On average each hotel suffers one incident of theft from rooms per year.|
|Vulnerability||I leave my laptop unattended in a hotel room, that has weak room security (see Hotel room zero-factor authentication)|
|Likelihood||I stay in a hotel about 1 day in 20.Combined with my threat intelligence, suggests this example is relatively rare.|
|Impact||A competitor is able to gain advantage from information on the laptop, if the chancer recognised the data and finds a buyer.|
|Risk||If I leave my laptop in a hotel room, there is a small chance that it will be stolen and company confidential information find its way to a competitor.|
|Risk Treatment||Mitigation 1.Encrypt the disk, with a boot level password, and follow operational procedures to ensure the disk is encrypted when unattended.
Mitigation 2. Company policy: do not leave laptop in hotel rooms unattended.
I find these examples easier to relate to than definitions. Do they work for you? Thoughts welcome?