Vulnerability vs. risk: Knowing the difference improves security

Conflating security terms evokes fear but doesn't help security newbs understand the difference between vulnerabilities and actual risks.

The future leaders of cybersecurity will be fluent in languages other than technology and will stop using fear to conflate the message of vulnerability versus risk. That’s the message that kicked off this year's (ISC)2 Security Congress conference. 

Donald Freese, deputy assistant director at the FBI, and Brandon Dunlap, managing director at Brightfly, talked about the difference between vulnerability and risk as they relate to leadership. The conflation of these words is problematic because when people get caught up in fear, they start to react to threats with intensity rather than consistency.

The difference between vulnerabilities and risks

The distinction between vulnerabilities and risks is a conversation that is happening not only in Austin, Texas, this week but among many security experts. Last week, I talked with Guy Bejerano, CEO and co-founder of SafeBreach, who commented on the widespread confusion of these terms.

"A vulnerability is a weakness in a system or application that may be exploited to violate that specific system without any context to the impact involved," he said.

An actual risk takes into consideration more than just known vulnerabilities, but any action that might result in an impact. An example of actual risk, said Bejerano, is sending an email that has credit card information in it.

Risk is also independent of vulnerability, and organizations have risks even if there are no known vulnerabilities. Think of a phishing scam or accidental misconfiguration.  

So, it wasn't a surprise when Freese and Dunlap meandered onto the topic of language — how we use it and how we are often confused by it.

While it is critical to study threats, turning every threat into a risk confuses the message, and analysts end up crying wolf, said Freese. 

Keep emotion and fear out

We need to remember that security is a service we should be providing, and if everything is a threat, there is no point anymore.

"When we start to use emotion and fear to drive the conversation, we are failing," Freese said. 

Leading with fear also makes it harder to prioritize resources because fear is very subjective. Security practitioners need to identify the real adversary and real risk scenarios so that they can focus on those they are able to manage.

Managing risk is about distinguishing between probability and possibility.

"It's probability that applies to the business side of things," Freese said. 

Drawing the distinction between probability and possibility requires that analysts know their networks. When you know your network, said Dunlap, you can have an itemized list of your actual risks. 

How to manage risk

Certainly there is no way to get through the list in a day, particularly when more issues are added to the list before existing ones are resolved. But, Dunlap said, "maybe you are able to get to the top five items. The next day you address the next five. It's about exercising those risk muscles."

Managing risk is about knowing the data that you have, why you have it, and how it is stored. But another big part of managing risk is making sure conversations about risk are going on across the enterprise.

To that end, security practitioners need to become fluent in the language of business so that they can convey the actual risks in a way that enables them to build a better security posture.

You will inevitably be compromised, though. That's the reality of the digital enterprise. Just as Dylan Thomas encourages us, "Do not go gently into that good night," security practitioners — especially those who are new — should not give up without a fight.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.