Professional Documents
Culture Documents
The Difference Between Threat, Vulnerability, and Risk, and Why You Need To Know - Trava-Min
The Difference Between Threat, Vulnerability, and Risk, and Why You Need To Know - Trava-Min
Cyber threats are real—and more common than you think. According to the FBI’s
2020 Internet Crime Report, the Internet Crime Complaint Center received
791,790 cyber crime complaints in 2020. That’s a 69 percent increase from 2019,
and the number of ransomware attacks continues to rise. In July, IT management
software company Kaseya fell victim to a supply chain ransomware attack, which
affected 1,500 businesses.
https://www.travasecurity.com/blog/the-difference-between-threat-vulnerability-and-risk-and-why-you-need-to-know 1/5
12/21/2022 The Difference Between Threat, Vulnerability, and Risk, and Why You Need to Know | Trava
The word “threat” is often confused with (or used interchangeably with) the words
“risk” and “vulnerability.” But in cybersecurity, it’s important to differentiate
between threat, vulnerability, and risk. A threat exploits a vulnerability and can
damage or destroy an asset. Vulnerability refers to a weakness in your hardware,
software, or procedures. (In other words, it’s a way hackers could easily find their
way into your system.) And risk refers to the potential for lost, damaged, or
destroyed assets.
But that’s just the brass tacks. Let’s take a deeper look at the difference between
threat, vulnerability, and risk, and why you need to know.
Threats have the potential to steal or damage data, disrupt business, or create
harm in general. To keep that from happening, you need to know what cyber
threats exist. In general terms, there are three categories.
Intentional threats: Things like malware, ransomware, phishing, malicious code, and
wrongfully accessing user login credentials are all examples of intentional threats. They
are activities or methods bad actors use to compromise a security or software system.
Unintentional threats: Unintentional threats are often attributed to human error. For
example, let’s say you forgot to lock the back door before leaving for work. While
you’re at the office, a thief seizes the opportunity to sneak into your home and steal
your valuables. Even though you didn’t mean to leave the door unlocked, the thief took
Solutions Resources Company Book a Demo LOGIN
advantage of your home’s vulnerability. In the cybersecurity industry, someone might
leave the door to the IT servers unlocked or leave sensitive information unmonitored.
An employee could forget to update their firewall or anti-virus software. Current and
even former employees may also have unnecessary access to sensitive data, or simply
be unaware of the threats. (Which is why employee training is so important.)
Natural threats: While acts of nature (floods, hurricanes, tornadoes, earthquakes, etc.)
aren’t typically associated with cybersecurity, they are unpredictable and have the
potential to damage your assets.
https://www.travasecurity.com/blog/the-difference-between-threat-vulnerability-and-risk-and-why-you-need-to-know 2/5
12/21/2022 The Difference Between Threat, Vulnerability, and Risk, and Why You Need to Know | Trava
ways to protect you and your company’s data, check our ebook “10 Cyber Risk
Management Issues Every Business Needs to Address ASAP.”
What is vulnerability?
Take Kaseya. The FBI described the incident as “a vulnerability in Kaseya VSA
software against multiple managed service providers (MSPs) and their customers.”
Huntress, a cybersecurity firm, tracked 30 MSPs involved in the breach and
concluded that the attack was due to an authentication bypass vulnerability in
Kaseya’s VSA web interface. It allowed attackers to work around authentication
controls and upload malware.
Cyber risk is the intersection of assets, threats, and vulnerabilities. It’s the
potential for loss, damage, or destruction of an asset when a threat takes
advantage of a vulnerability. Put another way:
https://www.travasecurity.com/blog/the-difference-between-threat-vulnerability-and-risk-and-why-you-need-to-know 3/5
12/21/2022 The Difference Between Threat, Vulnerability, and Risk, and Why You Need to Know | Trava
To determine your level of cyber risk, you have to understand the types of threats
that are out there and know your system’s vulnerabilities. Although cybersecurity
is an ever-moving target, you can keep your overall risk low. Trava has a free cyber
risk checkup tool that runs a top-level scan of your domain. (The lower your score,
the lower your risk.) By determining your level of risk, you can create a solid cyber
risk management plan.
Capturing, storing, and using sensitive data is essential for most organizations,
but holding and accessing it means you have the responsibility to protect it.
Understanding the difference between threat, vulnerability, and risk is the first
step toward developing a cyber risk management plan. After all, cyber risk is
business risk. If you can’t keep your customers’ data safe, you may lose their
business, not to mention your reputation.
https://www.travasecurity.com/blog/the-difference-between-threat-vulnerability-and-risk-and-why-you-need-to-know 4/5