Answer:
To look into the differences of assessments of threat,
vulnerability and exploit. First look at their definitions then
difference will itself be clear
Definitions:
- Threat:
- Threat in context of risk management means the events that can
result in unfavourable or unwanted outcomes. This negative outcome
can be loss of resources, or losing out a client etc.
- Ex: A flood can hit your manufacturing unit, it is threat.
- Vulnerability:
- It is the weakness or loop hole in our organisation that can
make threat effective, i.e. due to these vulnerabilities a threat
can create negative outcome.
- EX: Not having proper flood control measures implemented is a
vulnerability. Which can be exploited by threat i.e. flood
- Exploit:
- Exploit is basically the event or process of threat using
vulnerability to cause unfavourable outcome.
Difference between threat, vulnerability and exploit
assessment:
Although the above definitions make it quite clear that what is
the difference in their assessments, some of the differences along
with example are:
- Threat assessments
- It mainly pertains to identifying the potential threats that
may arise for the organisation.
- After identifying the threats, it also involves evaluating the
likelihood of that threat affecting the organisation in future and
what can be its frequency of occurrence.
- Now a days complex practices like threat modelling are used to
assess various threats.
- Ex: Assessing the weather trends and forecast to evaluate the
possibility of flood near the manufacturing plant.
- Vulnerability assessment :
- It is performed by the organisation to find the loop holes and
weaknesses in the organisation that various threats might
exploit.
- Generally it done by both a person from inside of organisation
(internal assessment) and a person outside the organisation
(external assessment).
- Ex: a team of expert architects assessing the flood protection
measure’s quality in the manufacturing plant. Or google inviting
ethical hackers to find loop holes.
- Exploit Assessment:
- It includes sort of simulation of attack by identified threats
to measure the exploits of vulnerability.
- Sounds little complex, simply it is the evolution of what will
be the impact of a threat exploiting a weakness
(vulnerability).
- Ex: Assessing the potential loss of resources if a flood like
situation arises in present conditions