Threats and Vulnerabilities

(OBJ 1.2)

Anything that could cause harm, loss, damage, or compromise to our information technology systems
Can come from the following
- Natural disasters
- Cyber-attacks
- Data integrity breaches
- Disclosure of confidential information

Remember that the intersection of threats and vulnerabilities is where the risk to enterprise systems and networks lies
If you have a threat, but there is no matching vulnerability to it, then you have no risk
- Threat + No Vulnerability = No risk
The same holds true that if you have a vulnerability but there’s no threat against it, there would be no risk
- Vulnerability + No Threat = No risk

Finding different ways to minimize the likelihood of an outcome and achieve the desired outcome
Situation Example: Getting to work on time in the morning
- Vulnerabilities
  - Forgotten to fill up your car the night before, so now you won't have enough gas to get to work without stopping at a fuel station. This is a Vulnerability of a lack of preparation
  - Forgotten that it was your day to drop off the kids at school before you go into work. This is a Scheduling Vulnerability
  - Forgotten to perform the routine maintenance on your car, and this could cause it to break down before you get to the office. This is a Vehicular vulnerability
  - Note: You do have control over these because these vulnerabilities were all created by internal factors that you could have done something about.
- Threats
  - An impatient driver ended up causing an accident on the freeway and now you're stuck in traffic, which is going to cause a delay to your commute.
  - An environmental disaster could have happened
  - Note: These situations are outside of your control.
- Outcome
  - Getting to work on time without being late
- Operation
  - Utilizing proper mitigating actions to minimize the impact that the threat will have on the system if the risk is realized