Identifying Threats and Vulnerabilities

Risk assessment requires understanding what could go wrong and what weaknesses could be exploited. Threat and vulnerability identification provides the foundation for analyzing risk scenarios and determining appropriate treatments.

Understanding the Relationship

Threats represent potential causes of unwanted incidents that could harm assets. Vulnerabilities represent weaknesses that threats can exploit. Risk exists where threats and vulnerabilities intersect around valuable assets. A threat alone causes no harm if no exploitable vulnerability exists. A vulnerability creates no risk if no threat would exploit it.

This relationship means identification must consider threat-vulnerability pairs in context. A hurricane threat matters for facilities in hurricane zones but creates no risk for geographically protected locations. An unpatched system vulnerability creates risk only if threat actors have motivation and capability to exploit that specific vulnerability.

Threat Categories

Natural threats include environmental events like fire, flood, earthquake, and severe weather. These threats typically cannot be prevented but can be mitigated through location selection, physical protections, and business continuity planning.

Intentional human threats encompass malicious actors seeking to harm the organization. External attackers, organized crime groups, nation-state actors, and malicious insiders all represent threat sources with varying motivations and capabilities. Threat intelligence helps understand which threat actors target your industry or organization.

Unintentional human threats arise from mistakes rather than malice. Employees misconfigure systems, accidentally delete data, fall for phishing attacks, or lose devices containing sensitive information. These threats often exceed intentional threats in frequency if not in individual impact.

Technical threats include system failures, software bugs, and infrastructure malfunctions. Hardware eventually fails. Software contains defects. Dependencies on third-party services create supply chain risks.

Vulnerability Types

Technical vulnerabilities include unpatched systems, insecure configurations, weak authentication, and design flaws. Vulnerability scanning and penetration testing identify many technical vulnerabilities, though design-level issues require architectural review.

Organizational vulnerabilities encompass missing processes, unclear responsibilities, inadequate training, and insufficient resources. These vulnerabilities often matter more than technical issues because they prevent effective response to incidents.

Physical vulnerabilities include inadequate access controls, environmental weaknesses, and infrastructure dependencies. Physical security often receives less attention than logical security despite enabling devastating attack scenarios.

Documentation Requirements

For each risk scenario, document the specific threat, the vulnerability being exploited, the affected assets, and the potential impact. This documentation supports risk analysis, treatment selection, and ongoing monitoring.