Risks vs. Vulnerabilities vs. Threats

My experience tells me that a lot of people are still confused over the differences between risks, threats and vulnerabilities. In fact, even security pros (who should know better) often find themselves misusing the terms in casual conversation. The following simple analogy may help clarify the situation:

Imagine that you are going on a trip. While packing your suitcase, you realize that you need to bring some shampoo. Your shampoo has a flip top, not a screw top, and so you're concerned that if you pack your bag too full, the airport baggage handlers might treat your bag roughly, exerting excess pressure on the bottle and popping the top. Shampoo could spurt all over your stuff!

In this scenario, you have a vulnerability (the flip top shampoo bottle which might not survive a good squeeze). The threat is that baggage handlers are not known for being gentle. The risk is that your clothes might get doused with shampoo.

Change any one of these conditions and you don't have anything to worry about. If you remove the vulnerability by taking a screw top bottle instead, your clothes will be fine because even the baggage monkeys can't rupture a properly made bottle (you hope). Similarly, if you decide to carry your luggage on, you can probably avoid the baggage handlers altogether, and you will naturally be more careful with your own bag.

While we're on the subject, let's carry the analogy a bit further and talk about countermeasures. There are four basic types of countermeasures: Preventative, Reactive, Detective and Administrative. Preventative countermeasures work by keeping something from happening in the first place. In the example above, enclosing the bottle in a rigid plastic box would certainly help keep it from being crushed, and would count as a preventative countermeasure.

A reactive countermeasure comes into play after an event has already occurred. If you arrived at your hotel and found that your clothes were, in fact, covered with goo, you could make use of the hotel's laundry to correct the problem. This would be an example of a reactive countermeasure.

I can't really think of a realistic example of a detective measure here (a shampoo sniffing dog?) so finally, an administrative countermeasure uses policy to protect an asset. In this case, you could attempt to avoid the situation by making it your policy to rely on the hotel's shampoo, thus removing your need to bring your own.

I hope this has made things a little more clear. It is the combination of the vulnerability (the flip top shampoo bottle) and the threat (baggage monkeys at the airport) that creates a risk (to the clothes). You can attempt to use various countermeasures to bring the risk down to acceptable levels, or you could simply accept the risk and move on.

Of course, as I am a devious person, I might choose to take a different option. I can always transfer the risk by packing the shampoo in my wife's bag. I'll leave you to do your own risk analysis for that one...