Risks VS Threats

If you are engaged in information security, then you live in a world of risks, threats and vulnerabilities, you use these concepts on a daily basis. We often substitute these concepts, as a result of which the line between what is a risk and what is a threat to information security is not always visible.

On the one hand, we build threat models, following domestic regulations, and on the other, we create registers and risk treatment plans, focusing on international standards for ISMS

How are risks related to threats, are they different things or are they the same? – we will consider in the article.

In short, the threat is part of the risk, but let’s break it down.

Have a concept risk there are many definitions, only in the standards and regulations on information security in Russian there were 6 of them.

Information security risk definitions

There are various definitions of risk, here are some of them:

riskcombination of the likelihood of an event and its consequences

GOST R 51901.1-2002 Risk management. Risk analysis of technological systems

The risk of violation of the security of the telecommunication network: The likelihood of damage to the telecommunication network or its components due to the fact that a certain a threat is realized as a result of the presence of a certain vulnerabilities in the telecommunication network.

GOST R 52448-2005 Protection of information. Ensuring the security of telecommunication networks. General Provisions

Information security risk (information security risk): Potential that vulnerability will be used to create threats asset or group of assetscausing damage to the organization.

GOST R ISO / IEC 27005-2010 Information technology (IT). Methods and means of ensuring safety. Information security risk management

Risk is the effect of uncertainty on goals.
Impact is deviation from the expected – positive or negative.
Uncertainty is a state, even partial, of a lack of information related to an event, its consequences or probability, understanding or knowledge about it.
Risk is often characterized by reference to potential “events” and “consequences” or a combination of both.
Risk is often expressed as a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” of occurrence.
In the context of information security management systems, information security risks can be expressed as the effect of uncertainty on information security objectives.
Information security risk is associated with the possibility that threats will use vulnerabilities information asset or a group of information assets and thereby harm the organization.

GOST ISO / IEC 27000-2012 Information technology (IT). Methods and means of ensuring safety. Information security management systems. General overview and terminology

riskpotential risk of harm to an organization as a result of the implementation of a threats using vulnerabilities asset or asset groups
NOTE Defined as a combination of the likelihood of an event and its consequences.

GOST R ISO / IEC 13335-1-2006 Information technology (IT). Methods and means of ensuring safety. Part 1. Concept and models of security management of information and telecommunication technologies

risk: The combination of the likelihood of damage and the severity of that damage.

GOST R 51898-2002 Security aspects. Rules for inclusion in standards

The situation is a little more specific with the concepts of threat and vulnerability.

Threat definitions

a threat threat: The potential cause of an unwanted incident that could result in damage to a system or organization.

GOST R ISO / IEC 27002-2012

information security threat: A set of conditions and factors that create a potential or real danger of breaching information security

GOST R 50.1.056-2005, Methodological document of FSTEC of Russia dated 05.02.2021 “Methodology for assessing threats to information security”

Under personal data security threats when processing them in ISPD, a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data is understood, the result of which may be the destruction, modification, blocking, copying, distribution of personal data, as well as other unauthorized actions during their processing in personal data information system.

Methodology for determining actual threats to the security of personal data during their processing in personal data information systems. FSTEC of Russia

a threat (threat): Potential source of danger, harm, etc.

GOST R 58771-2019 Risk management. Risk assessment technologies

Vulnerability definitions

vulnerability (vulnerability): The weakness of one or more assetsthat can be used by one or more threats

GOST R ISO / IEC 27002-2012

vulnerability (of the information system); breach: A property of an information system that makes it possible to implement threats security of the information processed in it.

R 50.1.056-2005

vulnerability (of the information system); breach: A property of an information system that makes it possible to implement threats security of the information processed in it.

GOST R 50922-2006

Vulnerability: lack (weakness) of software (software and hardware) means or system and network as a whole, which (s) can be used for implementation threats information security.

Methodological document of FSTEC of Russia dated 05.02.2021 “Methodology for assessing threats to information security”

One simple but important conclusion can be drawn from these definitions – there is no single generally accepted definition for such key concepts in the information security industry as risk and a threat… Consequently, a judgment about them will be correct or erroneous based only on the regulatory framework and terminology on the basis of which the dispute is being conducted.

But in general, if we move away from the formulations, then there is a pattern in the definitions, I will allow myself to identify and generalize it:

Risk is the ability to implement a threat through the use of a vulnerability in an asset.

Thus, the risk, technically, is nothing more than a combination of 3 entities:

Risk = Threat + Vulnerability + Asset


  • A threat – something bad

  • Vulnerability – asset feature

  • Assets – any object

To paraphrase completely, we can say that the risk is when something bad happens due to some peculiarity of something.

With such a splitting into atoms, everything falls into place, the connection between threats and security risks is clear.

A threat simply describes something bad to us, while Risk also tells why this bad thing can happen.

A few examples of risks articulated by this design:

  • Disclosure of access keys (passwords) due to SMB Relay attack capabilities v Windows OS
    Here we have

    • A threat – Disclosure of access keys (passwords)

    • Vulnerability SMB Relay Attack Capabilities

    • Assets – Windows OS

  • Attacker lateral movement across the local network due to remote connectivity via RDS Shadow v Windows OS

  • Pinning the attacker to the OS due to the ability to distribute scripts through Network Logon Scripts v Active Directory Domain Services

  • Malware infection due to responding to fraudulent, phishing emails an employee
    // A person acts as an asset

  • Hoperability of server equipment due to temperature violations v server room
    // classic IT risk for asset availability

  • Inaccessibility of IT / IS personnel due to lack of qualified personnel policy v company
    // This is also not about information security, but rather about the personnel and management risks of the company, but it affects the functioning of the information security system. The asset is the company as a legal entity.

Risk in this formulation does not just mean something bad, but explains why it can happen, pointing to the source of the problem.

All elements of risk (threat, vulnerability, type of asset) can be combined with each other in any appropriate combinations, forming new security risks.

The advantages of this approach to formulating security risks:

  1. There is no need to duplicate the same threats, vulnerabilities and assets as part of different risks, we just maintain 3 separate registries, and the risk register is nothing more than a combination of them.

  2. The view of security issues is getting broader. We can look not only at the register of risks, but also at the registers of threats, vulnerabilities, assets, calculating the amount of risk taking into account each of the elements.

  3. A simple and understandable response algorithm follows from the 3-tier formulation of risks – to reduce the amount of damage from the implementation of a threat, eliminate a vulnerability or reduce the likelihood of its exploitation.

Here we keep a community register of risks according to such a 3-link scheme, based on MITER ATT & CK, BDU FSTEC, best practices and personal experience. So far, ~ 250 risks have accumulated and the work on filling the base is in the process. If you are faced with the task of maintaining a register of risks, you can use our community base as a basis and participate in its replenishment.

I would like to end the article with the slogan that no matter how you take into account the company’s problems, what do you call a risk and what a threat… But no, this is important because the completeness and effectiveness of the created information security systems, the ability to understand each other in the information security community depends on this.
I would be glad if you share in the comments how you keep records of information security problems in your companies, how you describe security risks.

The article does not consider such entities as the object of attack / impact, the intruder, undesirable consequences, attack scenarios – all these are important elements in the processes of threat modeling and risk management. If there is interest, we will decompose them into atoms in the following articles.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *