Every industry and every community has its own jargon and its own use of words. Often, this feels a tad semantic and as though people are trying to use language as a source of power, if you know the secret language you are in.

That said, having a clear and common understanding of the words used is important. The words, representing the concepts, define what we understand, what we focus on, and, ultimately, what we do and think.

The three words: Threats, Risks, Vulnerabilities; are core words and concepts within security. This explores how I define then and I invite you and your community to explore how you will. Getting to a common and clear understanding of words that seem basic may seem a waste of time, but I would urge you to spend the time and engage with it. If all goes smoothly great, but this exercise will help for all that you want to achieve. All three of these terms are used broadly in everyday conversation, often interchangeably. Going with the “I will know it when I see it approach” can work for somethings, but here it is more often than not a recipe for misunderstanding, fixing the wrong problem, and generating frustration.

When I talk about threats I am referring to the things that can happen. To be specific, I am referring to the fact that someone could steal my ice cream, or that I could be attacked by a vicious hamster. What I am NOT talking about here is what is the likelihood of that happening, and what is the impact or extent of harm that will cause me.

Does this definition work for you, within your community context? How will you define it? Given that threats are at the root of the security challenges we are looking to solve, how we define them describes how we will define the problem.

What then is risk? Risk is a concept that fascinates me, in that it carries a lot of meaning. I define risk as the probability of a threat occurring. When we use risk, to me it inherently defines the situation as the probability of a negative thing occurring. As opposed to say chance, which would be the probability of any event occurring, or perhaps luck, the probability of a positive event occurring. How we frame the probability speaks highly to how we view the event. I could say that the risk of being attacked by a vicious hamster is less than 1%, or I could say there is a 99% probability that I will not be attacked by a hamster today.

Here’s the tricky part, how to evaluate risk? This also should be part of the definition. Some models include tables and calculations to provide a number, others use categories like High, Medium, Low. Ultimately, the definition should be something that works for your community. My feeling is that 3 ~5 buckets such as low, medium, high works well in most cases, but that is something your community should decide for your context.

Vulnerability is basically the what happens if the hamster gets to me. Vulnerability considers what is the impact of the threat happening. Have I done anything already to protect against this, how hard would it be to recover if this happened today? Understanding the vulnerability to a threat helps to have good conversations about where to focus efforts and attention. As an example, if we know that the risk of a hamster attack is high, but I am wearing boots without laces, so the hamster can’t chew through the laces, then the impact is likely low and we don’t need to put a lot of energy into addressing that threat.

Similar to risk, vulnerabilities can be measured in numbers or in categories. Different assessment models use either or both, and figuring out what works for you is a useful exercise. For me, likely because I like simple, I tend to the categories: Low, Medium, High, but this may not be meaningful for you. When defining this, consider what you want the category or measurement to do. High vulnerability should be defined in a way that is a call to action, low or minimal vulnerability should reflect threats that the community is willing to accept the risk of them occurring.

You may have noticed the repeated use of hamsters in the examples. Believe it or not I do this intentionally and not because I have a fear of fluffy rodents. When trying to describe how you and your community will define a term, concept, etc. related to security, it is useful to have an example to work with. Given how negative the impacts of most security threats are, using an example that is a bit silly can be helpful encourage engagement in the conversation. If hamsters don’t work for you for some reason, try something else, something that will conjure a bit of a smile even if you are pondering what the impact of it happening is.

And, given your attention to detail and commitment to paying attention, you may also have noticed that I didn’t get into how to use these definitions or a process for a Threat and Risk Analysis. I will post some thoughts and questions about those in the near future, but I feel it is important to give space to the definition exercise. That, and this strikes me as being lengthy as it is. One last thought: there are a few other definitions like fear, perception, risk tolerance, etc. that may be useful as well. I plan to get to those at some point. I encourage you to think on what terms/concepts would be useful for you and your community to define, and to share them so that others can learn from it.