The fact is, new vulnerabilities come to light every day. Unfortunately, staying ahead of these new vulnerabilities, or otherwise addressing them promptly, has proven to be incredibly difficult (not to mention costly). The good news is, not all vulnerabilities impact every organization. But, for vulnerabilities that do apply, it often is difficult to make risk-based decisions to address them – do we mitigate, avoid, transfer, or accept them?
These decisions become a great deal easier when organizations include the likelihood of an exploit along with a vulnerability's impact as risk analysis inputs. In these cases, impact is often relatively straightforward. For example, we might consider legal, strategic, financial, operational, or reputational impacts or, as Common Vulnerability Scoring System (CVSS) does, we might consider impact to classic objectives like confidentiality, integrity and availability.
Likelihood seems softer than impact and, as a result, we might think it is harder to determine. To get there, we have to think about the threats that could take advantage of a vulnerability. To exploit a vulnerability, there first must be a related threat. As it turns out, CVSS has sorted out quantifying likelihood by prompting for easier-to-answer questions like the origin of a threat, the difficulty of an exploit and the need for a victim's involvement. One of the common shortcomings with vulnerability management processes is in their often-limited understanding of applicable threats.
So, what is a threat?
We think of a threat scenario as a threat agent acting against a target to accomplish an objective. For example, a hacker targeting an e-commerce website to steal credit card data. A vulnerability creates a point of entry through which the attacker can reach the target. In a more complex attack, a hacker might work through a series of layers, exploiting various vulnerabilities along the way.
We worry about threats from thieves, hackers, malware and ransomware, social engineers and phishers, and natural disaster. However, the definition of a threat can encompass more than just these common actors. For example, an organization might view regulatory compliance as a threat. After all, an audit can have a significant impact – fines and penalties.
Why does understanding threats matter?
Regardless of your organization, addressing vulnerabilities is a business decision. As with any other business decision, risk and cost are a factor. Understanding a vulnerability in the context of the threats that might exploit it makes it easier to plan a course of action and prioritize your response.
Editor’s note: For more on this topic, download ISACA’s new white paper on vulnerability assessment.