Vulnerabilities, Threats, and Controls in Information Security

In an earlier post, I noted that one of the major goals of information security is to mitigate security risks. Another major goal of information security as a discipline and as a profession is to try to protect valuable information assets. In order to approach the study of methods of protecting these assets, we can adopt what is known as a vulnerability/threat/control framework. To begin, consider a vulnerability, which is a weakness in some aspect of an information system. If a vulnerability is exploited, then that exploitation has the potential to cause loss or harm. A human being who intentionally exploits a vulnerability is perpetrating an attack on the system. An attack, then, can be defined as an intentional exploitation of a system vulnerability. Next, we can consider a threat, which is simply a set of circumstances that has the potential to cause loss or harm. As we will see shortly, threats and vulnerabilities are very closely related. Finally, we have controls, which are things that we do or things that we have which help to eliminate or reduce a vulnerability. Note that another name for a control is a countermeasure.

When first learning about information security, many people become confused regarding the difference between a threat, a vulnerability, and a control. I will therefore provide a simple example that I hope will help you to remember the difference between these three security concepts. Imagine that you are walking over a bridge. Whenever you walk over a bridge there is always a certain threat to your safety; namely, that the bridge might collapse underneath you.

Here, the possibility of the bridge collapsing is a threat to your safety. Now imagine that there is a weakness in the bridge. For this example, let’s say that the mortar between the blocks of stone from which the bridge is constructed has begun to crumble or deteriorate.

The weaknesses in the mortar are vulnerabilities, and if those vulnerabilities were to be exploited, the threat of the bridge collapsing would be actualized, and might cause you physical harm.

A control, then, is something that we do or something that we have which helps us to eliminate or reduce a vulnerability. In this example, we might apply bracing to reinforce the bridge or we might try to repair the cracks in the concrete, thus reducing the possibility that the vulnerability will be exploited.

Broadly, then, threats are blocked or prevented from being actualized by controlling vulnerabilities.