Lesson 2: Assets, Threats, Vulnerabilities & Risk
Managing information security requires a shared vocabulary: Asset, Threat, Vulnerability, and Risk. In this lesson we define each term precisely, see how they combine into a single model, and learn how risk is calculated and which controls are worth implementing.
An asset is something we value; a threat is who or what might harm it; a vulnerability is the weakness it exploits; and risk is how likely that is — times how much it would cost us.
- Asset
- Anything of value that must be protected: information, hardware, software, people (knowledge), services, and reputation. Classified by sensitivity and regulation (PII, PCI).
- Threat
- A factor or event that may exploit a vulnerability and harm an asset. Types: human, natural, technological, and regulatory.
- Vulnerability
- A weakness that a threat can exploit, e.g. a weak password, an exposed default configuration, or missing updates.
- Risk
- The product of the probability of an event and its impact: Risk = Probability × Impact.
- Attack Surface
- The sum of all possible entry points into a system — open ports, APIs, users, and services. The goal is to minimize it.
- Security Incident
- The materialization of a threat that exploited a vulnerability, leading to an impact on the organization.
- Risk Response
- The decision on how to handle a risk, from four strategies: Accept, Mitigate, Transfer, and Avoid.