Defining Risk, Threat and Vulnerability

NIST 800-30, as any good standard does, defines certain key concepts that are important to understanding how the risk assessment process works, and for discussing risk as you move forward with the assessment process inside of the organization. The first of course is the definition of risk itself. Which is “A measure to the extent of which an entity is threatened by a potential circumstance or event.” In other words, how much damage can this do and how much is it going to impact us? A threat is any circumstance or event with the potential to adversely impact your operation. Not just in information security itself, but operationally, with the integrity of data, or even just your ability to open your doors in the morning. A vulnerability is a weakness in an information system or a control procedure or process implementation within your organization that could be exploited by a threat source. 

Related Videos