What are the differences between Hack, Threat, Vulnerability, Risk and Issue from a Cybersecurity standpoint?

A Hack is where someone seeks to breach defenses and exploit weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or to evaluate system weaknesses to assist in formulating defenses against potential hackers. Hackers use various means known as threats to accomplish their goal of penetrating the targeted system.

A Threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm. A threat can be either "intentional" (i.e. hacking: an individual hacker or a criminal organization) or "accidental" (e.g. the possibility of a computer malfunctioning, or the possibility of a natural disaster such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event. NIST defines a threat as “any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.”

A Vulnerability is a weakness which can be exploited by a hacker to perform unauthorized actions within a computer system. To exploit a vulnerability, a hacker must have at least one applicable tool or technique that can connect to a system weakness. Thus, a vulnerability is also known as the attack surface.

A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability; a vulnerability for which an exploit exists.

Cybersecurity Issues or Concerns are simply threats, vulnerabilities and risk that can lead to a person, group, system or network being compromised.

Show Comments