Question

In reference to risk managment strategies, describe the differences between threat assessments, vulnerability assessments, and exploit assessments.

Answer 1

Answer:

To look into the differences of assessments of threat, vulnerability and exploit. First look at their definitions then difference will itself be clear

Definitions:

• Threat:
  • Threat in context of risk management means the events that can result in unfavourable or unwanted outcomes. This negative outcome can be loss of resources, or losing out a client etc.
  • Ex: A flood can hit your manufacturing unit, it is threat.
• Vulnerability:
  • It is the weakness or loop hole in our organisation that can make threat effective, i.e. due to these vulnerabilities a threat can create negative outcome.
  • EX: Not having proper flood control measures implemented is a vulnerability. Which can be exploited by threat i.e. flood
• Exploit:
  • Exploit is basically the event or process of threat using vulnerability to cause unfavourable outcome.

Difference between threat, vulnerability and exploit assessment:

Although the above definitions make it quite clear that what is the difference in their assessments, some of the differences along with example are:

• Threat assessments
  • It mainly pertains to identifying the potential threats that may arise for the organisation.
  • After identifying the threats, it also involves evaluating the likelihood of that threat affecting the organisation in future and what can be its frequency of occurrence.
  • Now a days complex practices like threat modelling are used to assess various threats.
  • Ex: Assessing the weather trends and forecast to evaluate the possibility of flood near the manufacturing plant.
• Vulnerability assessment :
  • It is performed by the organisation to find the loop holes and weaknesses in the organisation that various threats might exploit.
  • Generally it done by both a person from inside of organisation (internal assessment) and a person outside the organisation (external assessment).
  • Ex: a team of expert architects assessing the flood protection measure’s quality in the manufacturing plant. Or google inviting ethical hackers to find loop holes.
• Exploit Assessment:
  • It includes sort of simulation of attack by identified threats to measure the exploits of vulnerability.
  • Sounds little complex, simply it is the evolution of what will be the impact of a threat exploiting a weakness (vulnerability).
  • Ex: Assessing the potential loss of resources if a flood like situation arises in present conditions