Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits


A Threat is a person or natural event that can exploit a Vulnerability. In the area of information security a “Threat” is typically a person such as a disgruntled employee, hacker or criminal. In the area of business continuity planning a "Threat" includes natural events that disrupt an organization and deny the availability of data or systems.

Systems, applications and processes do not fail on their own. You need an agent - a person or natural event - to exploit a vulnerability in order for a loss to occur. For example, an unreinforced brick building is vulnerable to destruction in an earthquake. But if the threat of a significant earthquake is remote, the likelihood of loss is low.