A threat is a potential cause of an unwanted impact to a system or organization (ISO 13335-1). Threats fall into two categories: vulnerabilities and exposures.

A vulnerability, according to MITRE’s CVE Terminology, is a mistake in software that can be used by a hacker to gain access to a system. A vulnerability:

  • Allows an attacker to execute commands as another user.
  • Allows an attacker to access data that is contrary to the specified access restrictions for that data.
  • Allows an attacker to pose as another entity.
  • Allows an attacker to conduct a denial of service

An exposure is defined by MITRE’s CVE Terminology as a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. An exposure:

  • Allows an attacker to conduct information gathering activities.
  • Allows an attacker to hide activities.
  • Includes a capability that behaves as expected, but can be easily compromised.
  • Is a primary point of entry that an attacker may attempt to use to gain access to the system or data.
  • Is considered a problem according to some reasonable security policy.

A risk according to the ISO 31000 definition is the effect of uncertainty upon objectives where an effect is a deviation from the expected, positive or negative. ISO 31000 notes that risk can be regarded in terms of:

  • Likelihood of an event occurring.
  • Impact of the event if it occurs.
Share Button

One Comment

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload the CAPTCHA.