Relationship among vulnerability threat and control

relationship among vulnerability threat and control

View Notes - text from IST at Wilmington University. 1. Distinguish between vulnerability, threat, and control? Vulnerability: Vulnerability is a. There's a direct relationship between threats, vulnerabilities, and and prioritizes threats, it identifies security controls to protect against the. What's the Difference Between an IT Security Vulnerability, Threat and Risk Although these threats are generally outside of one's control and.

Impact refers to the magnitude of harm that can be caused if a threat exercises a vulnerability.

relationship among vulnerability threat and control

For example, a system without up-to-date antivirus software is vulnerable to malware. Malware written by malicious attackers is the threat. The likelihood that the malware will reach a vulnerable system represents the risk.

relationship among vulnerability threat and control

Depending on what the malware does, the impact may be an unbootable computer, loss of data, or a remote-controlled computer that has joined a botnet. An isolated system without Internet access, network connectivity, or USB ports has a low likelihood of malware infection. The likelihood will significantly increase for an Internet-connected system, and it will increase even more if a user visits risky websites and downloads and installs unverified files.

Insurance transfers the risk to another entity. You can mitigate risk by implementing controls.

relationship among vulnerability threat and control

When the cost of the controls exceeds the cost of the risk, many organizations accept the risk. A Risk is the likelihood that a threat will exploit a vulnerability. A vulnerability is a weakness, not all vulnerabilities are exploited, and a threat is a potential danger. It is that value that makes them assets worthy of protection, and they are the elements we want to protect.

  • Post navigation
  • What Is Computer Security?
  • Advanced Security Analytics

Other assets, such as access to data, quality of service, processes, human users, and network connectivity, deserve protection, too; they are affected or enabled by the hardware, software, and data. So in most cases, protecting hardware, software, and data covers these other assets as well. In this book, unless we specifically distinguish among hardware, software, and data, we refer to all these assets as the computer system, or sometimes as the computer. And because processors are embedded in so many devices, we also need to think about such variations as cell phones, implanted pacemakers, and automobiles.

relationship among vulnerability threat and control

Even if the primary purpose of the device is not computing, the device's embedded computer can be involved in security incidents and represents an asset worthy of protection. After identifying the assets to protect, we next determine their value. We make value-based decisions frequently, even when we are not aware of them.

What Is Computer Security? | Security Blanket or Security Theater? | InformIT

For example, when you go for a swim you can leave a bottle of water on a towel on the beach, but not your wallet or cell phone. The difference relates to the value of the assets. The value of an asset depends on the asset owner's or user's perspective, and it may be independent of monetary cost, as shown in Figure Your photo of your sister, worth only a few cents in terms of paper and ink, may have high value to you and no value to your roommate.

relationship among vulnerability threat and control

Other items' value depends on replacement cost; some computer data are difficult or impossible to replace. For example, that photo of you and your friends at a party may have cost you nothing, but it is invaluable because it can never be replaced.

On the other hand, the DVD of your favorite film may have cost a significant portion of your take-home pay, but you can buy another one if the DVD is stolen or corrupted. Similarly, timing has bearing on asset value.

Question 71. What’s the difference between a threat, vulnerability, and a risk?

For example, the value of the plans for a company's new product line is very high, especially to competitors. But once the new product is released, the plans' value drops dramatically.

To study different ways of protection, we use a framework that describes how assets may be harmed and how to counter or mitigate that harm. A vulnerability is a weakness in the system, for example, in procedures, design, or implementation, that might be exploited to cause loss or harm.

For instance, a particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user's identity before allowing data access.

A threat to a computing system is a set of circumstances that has the potential to cause loss or harm. To see the difference between a threat and a vulnerability, consider the illustration in Figure Here, a wall is holding water back.

Question What’s the difference between a threat, vulnerability, and a risk?

The water to the left of the wall is a threat to the man on the right of the wall: The water could rise, overflowing onto the man, or it could stay beneath the height of the wall, causing the wall to collapse.

So the threat of harm is the potential for the man to get wet, get hurt, or be drowned. For now, the wall is intact, so the threat to the man is unrealized. Figure Threat and Vulnerability However, we can see a small crack in the wall—a vulnerability that threatens the man's security.

If the water rises to or beyond the level of the crack, it will exploit the vulnerability and harm the man.