A threat is a potential cause of an unwanted impact to a system or organization (ISO 13335-1). Threats fall into two categories: vulnerabilities and exposures.
A vulnerability, according to MITRE’s CVE Terminology, is a mistake in software that can be used by a hacker to gain access to a system. A vulnerability:
- Allows an attacker to execute commands as another user.
- Allows an attacker to access data that is contrary to the specified access restrictions for that data.
- Allows an attacker to pose as another entity.
- Allows an attacker to conduct a denial of service
An exposure is defined by MITRE’s CVE Terminology as a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. An exposure:
- Allows an attacker to conduct information gathering activities.
- Allows an attacker to hide activities.
- Includes a capability that behaves as expected, but can be easily compromised.
- Is a primary point of entry that an attacker may attempt to use to gain access to the system or data.
- Is considered a problem according to some reasonable security policy.
A risk according to the ISO 31000 definition is the effect of uncertainty upon objectives where an effect is a deviation from the expected, positive or negative. ISO 31000 notes that risk can be regarded in terms of:
- Likelihood of an event occurring.
- Impact of the event if it occurs.