Threats, Vulnerabilities, and Exploits
Earlier in the week, I attempted to define threat
, vulnerability
, and exploit
in non-technical terms, as well as demonstrate how they are related to each other. I chose to base my examples off of a knight in battle; something that anyone can easily visualize without needing any detailed knowledge on what it involves.
I first started off with vulnerability: A vulnerability is just a weakness or hole in defenses. Imagine a knight who lost his helmet during a battle. His defenses are down, and he is now open to significant harm.
A threat is someone or something that can take advantage of a vulnerability, whether that’s destroying, modifying, or just observing what the vulnerability belongs to. An enemy approaching the knight is a threat; the enemy is ready to strike the vulnerability that is present.
An exploit is used by a threat in order to cause the most significant damage possible or bypass even tougher defenses, but it still relies on a vulnerability. The enemy’s sword could be the exploit: it is the tool that is allowing the enemy to destroy the target based on its vulnerability.
An important relationship to consider with this is risk. I find that one of the simplest ways to demonstrate the relationship is with this formula: [risk] = [threat] * [vulnerability]
Analyze the formula with some extremes: You could have the worst vulnerability (a knight with no armour); but if there is no threat (no enemies nearby), then there is no risk! Likewise, you could have the worst threat (the entire world against one knight); but if you have no vulnerability (the knight is an immortal), then there is no risk! While it may be simplified and have some gaps (you could easily add in cost and probability to the equation), I find it to be a fairly reliable model to follow.
If anyone has any other examples for these terms that you think are better suited, feel free to comment!