It may seem unreasonable to expect those outside the security industry to understand the differences between a threat, vulnerability and risk, more often than not, many professionals in our industry use these terms incorrectly or interchangeably. The Threat Analysis Group (TAG) suggests that threats, vulnerability and risk are three of the most commonly mixed up terms in our profession.
An asset, generally people, property and information, is what we are trying to protect. It’s reasonable to include employees and customers along with contractors and guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code critical personnel and company records and many other intangible property.
Threat, is what we are trying to protect from anything that can exploit a vulnerability, intentionally or accidentally – and can obtain, damage or destroy and asset. Vulnerability is a weakness or gap in our protection efforts, which can be exploited by threats to gain unauthorized access to an asset. Risk, the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats and vulnerabilities.
Understanding the difference between these terms allows one to understand the true risk to assets. The formula for conducting a Risk Assessment is: Asset + Threat + Vulnerability = Risk. Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets.
- Threats may exist, but if there are no vulnerabilities – then there is little to no risk.
- Vulnerabilities may exist, but if there are no threats – then there is little to no risk.
Physical security assessments, tailored to actual risk, enables an organization to enhance the return on investment associated with the time and money invested on remediation strategies. ASIS International has stated that context and risk assessment are the foundations for: (a) Protecting an organization’s assets, (b) Complying with laws and regulations, and (c) Identifying reasonable control measures need to mitigate risk and their associated benefits.