By Bugcrowd Feb 7, 2019[Guest Blog] The Difference Between Threats, Threat Actors, Vulnerabilities, and Risks This blog first appeared on Daniel Miessler blog. There is a never-ending debate on the language around Threat Modeling. About three in four presentations you’ll see on the topic will mangle and conflate these terms in unholy ways.So what I want to do here is give what I believe to be the clearest definitions of the terms—specifically around the difference between a threat and a risk, and a threat and a threat-actor.ThreatsA Threat is a negative event that can lead to an undesired outcome, such as damage to, or loss of, an asset. Threats can use—or become more dangerous because of—a vulnerability in a system.In common usage, the word Threat is used interchangeably (in difference contexts) with both Attack and Threat Actor, and is often generically substituted for a Danger.ExamplesCommon Threats include things like:An activist tries to steal data from your websiteA fire starts in your datacenterAn administrator accidentally turns off your website AWS instanceA flood hits your headquartersAn insider tries to sell your corporate secrets to a competitorIt’s something negative, such as an event or an attack that presents danger to you and that we want to avoid.Threat ActorsOnce we know what threats are it’s pretty straightforward to see what Threat Actors are. They’re simply the person, actor, entity, or organization that is initiating the given scenario.This is generally reserved for human-driven scenarios, such as hack attempts. It doesn’t usually make sense to talk about threat actors when the event is a flood or an earthquake, for example. And if it does you probably have a book deal in your future.ExamplesCommon Threat Actors include things like:HacktivistsCybercriminalsDisgruntled insidersNation StatesCareless employeesNatureDon’t discount natural elements when considering Threats. While they might not have traditional Threat Actors, natural Threat events can often cause significantly more damage than human-based Threats.VulnerabilitiesVulnerabilities are simply weaknesses in the system, and are not as commonly confused as other terms. Vulnerabilities are what make Threats possible and/or more significant.ExamplesCommon examples of Vulnerabilities include:Lack of proper building access controlCross-site Scripting (XSS)SQL InjectionCleartext transmission of sensitive dataFailure to check authorization to sensitive resourcesFailure to encrypt sensitive data at restVulnerabilities are the weaknesses that are taken advantage of by Threat Actors to do what they’re trying to do.RisksRisks are most commonly confused with threats, but they’re different in a crucial way.A risk, in plain language, is a chance of something bad happening combined with how bad it would be if it did happen.Let’s unpack that—it’s a chance of something bad happening…combined with how bad it would be if it happened. It’s essentially the combination of Probability and Impact, and in fact the most common equation for risk is the following:risk = probability x impactThe cause of confusion with Threats and Risks is that most people use both terms interchangeably a substitute for scenarios, without understanding the difference, e.g.:We need to protect against these risks.…or…We need to protect against these threats.…which are both the same as…We need to protect against these scenarios.It’s true that both refer to scenarios: the difference is that a Threat is a negative event by itself, where a Risk is the negative event combined with its probability and its impact.SummaryA Threat is a negative scenario you want to avoidA Threat Actor is the agent that makes a Threat happenA Vulnerability is a weakness that can be exploited in order to attack youA Risk is a negative scenario you want to avoid, combined with its probability and its impactThe difference between a Threat and a Risk is that a Threat is a negative event by itself, where a Risk is the negative event combined with its probability and its impactTags:Topics:Guest Blogs