Skip to content

Understanding the Elements of a Security Assessment

Answered by: 

What’s the difference between a Threat, Vulnerability and Risk when performing a Security Assessment?

It may seem unreasonable to expect those outside the security industry to understand the differences between a threat, vulnerability and risk, more often than not, many professionals in our industry use these terms incorrectly or interchangeably. The Threat Analysis Group (TAG) suggests that threats, vulnerability and risk are three of the most commonly mixed up terms in our profession.

An asset, generally people, property and information, is what we are trying to protect. It’s reasonable to include employees and customers along with contractors and guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code critical personnel and company records and many other intangible property.

Threat, is what we are trying to protect from anything that can exploit a vulnerability, intentionally or accidentally – and can obtain, damage or destroy and asset. Vulnerability is a weakness or gap in our protection efforts, which can be exploited by threats to gain unauthorized access to an asset. Risk, the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats and vulnerabilities.

Understanding the difference between these terms allows one to understand the true risk to assets. The formula for conducting a Risk Assessment is: Asset + Threat + Vulnerability = Risk. Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets.

  • Threats may exist, but if there are no vulnerabilities – then there is little to no risk.
  • Vulnerabilities may exist, but if there are no threats – then there is little to no risk.

Physical security assessments, tailored to actual risk, enables an organization to enhance the return on investment associated with the time and money invested on remediation strategies. ASIS International has stated that context and risk assessment are the foundations for: (a) Protecting an organization’s assets, (b) Complying with laws and regulations, and (c) Identifying reasonable control measures need to mitigate risk and their associated benefits.

This Q&A originally appeared in Bankers' Hotline. For more information, sample issues, and to subscribe, click here or email

First published on 10/17/2021

Filed under: 

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics