Skip to content
Web review

Vulnerability vs. risk: Knowing the difference improves security

Author: Kacy Zurkus

Source: CSO Online

Risk management
MyCrypNet mobile ads banner

The future leaders of cybersecurity will be fluent in languages other than technology and will stop using fear to conflate the message of vulnerability versus risk. That’s the message that kicked off this year’s (ISC)2 Security Congress conference.

Donald Freese, deputy assistant director at the FBI, and Brandon Dunlap, managing director at Brightfly, talked about the difference between vulnerability and risk as they relate to leadership. The conflation of these words is problematic because when people get caught up in fear, they start to react to threats with intensity rather than consistency.

The difference between vulnerabilities and risks

The distinction between vulnerabilities and risks is a conversation that is happening not only in Austin, Texas, this week but among many security experts. Last week, I talked with Guy Bejerano, CEO and co-founder of SafeBreach, who commented on the widespread confusion of these terms.

Review of this article

The need of distinction

Vulnerabilities and risks must be distinguished. A vulnerability is essentially a technical aspect but does not give any hint about the consequences on a business or on a larger environment.

A risk is the modelling of every aspects and every impacts a vulnerability may have on its stakeholders, its company, its business.

The modelling of a risk

Risks must be modelled in order to be sorted by importance. Within a risk, there must be an estimation of the cost for the company and its environment, an estimation of the cost to solve it, one or several plans to solve it and more aspects if needed.

It is very important for an organization to know risks they have to face up to. Insurances are a solution for the cost these risks can generate. Lawyers in correct specialities and contracts are a solution for legal aspects these risks can rise. And, of course, technical aspects can be managed by standard compliances, good practices, external audits.

In cybersecurity, technical aspects of a risk can be modelled by threat modelling.

In a small company, MyCrypNet can be used as a part of an answer in the threat modelling of a networks risk.
MyCrypNet mobile ads banner
© 2015-2017 Coppint Market Place Ltd, All rights reserved. Legals