Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Threats & Vulnerabilities

Be careful in how you use the term "Threat", for it is often misused in the risk community and confused with Vulnerability. The Merriam-Webster Dictionary defines Threat as the "expression of intention to inflict evil, injury, or damage". As defined on this site a Threat is a person or natural event that can exploit a defect in a control that will cause harm to an organization. In effect, a Threat is the actor in the Risk equation, the person or thing that causes the loss, the Threat agent. When used incorrectly Threat is used to refer to the "condition" that creates risk, which implies that a Threat is a defective Control or a Vulnerability. A computer virus or a poorly configured firewall is not a Threat. They are Vulnerabilities. You need a person or natural event to exploit these Vulnerabilities in order for a loss to occur.