There is never-ending debate on the language around Threat Modeling. About three in four presentations you’ll see on the topic will mangle and conflate these terms in unholy ways.
Listen to the audio version of this essay.
So what I want to do here is give what I believe to be the clearest definitions of the terms—specifically around the difference between a threat and a risk, and a threat and a threat-actor.
A Threat is a negative event that can lead to an undesired outcome, such as damage to, or loss of, an asset. Threats can use—or become more dangerous because of—a vulnerability in a system.
In common usage, the word Threat is used interchangeably (indifference contexts) with both Attack and Threat Actor, and is often generically substituted for a Danger.
Common Threats include things like:
- An activist tries to steal data from your website
- A fire starts in your datacenter
- An administrator accidentally turns off your website AWS instance
- A flood hits your headquarters
- An insider tries to sell your corporate secrets to a competitor
It’s something negative, such as an event or an attack that presents danger to you and that we want to avoid.
Once we know what threats are it’s pretty straightforward to see what Threat Actors are. They’re simply the person, actor, entity, or organization that is initiating the given scenario.
This is generally reserved for human-driven scenarios, such as hack attempts. It doesn’t usually make sense to talk about threat actors when the event is a flood or an earthquake, for example. And if it does you probably have a book deal in your future.
Common Threat Actors include things like:
- Disgruntled insiders
- Nation States
- Careless employees
Don’t discount natural elements when considering Threats. While they might not have traditional Threat Actors, natural Threat events can often cause significantly more damage than human-based Threats.
Vulnerabilities are simply weaknesses in the system, and are not as commonly confused as other terms. Vulnerabilities are what make Threats possible and/or more significant.
Common examples of Vulnerabilities include:
- Lack of proper building access control
- Cross-site Scripting (XSS)
- SQL Injection
- Cleartext transmission of sensitive data
- Failure to check authorization to sensitive resources
- Failure to encrypt sensitive data at rest
Vulnerabilities are the weaknesses that are taken advantage of by Threat Actors to do what they’re trying to do.
Risks are most commonly confused with threats, but they’re different in a crucial way.
A risk, in plain language, is a chance of something bad happening combined with how bad it would be if it did happen.
Let’s unpack that—it’s a chance of something bad happening…combined with how bad it would be if it happened. It’s essentially the combination of Probability and Impact, and in fact the most common equation for risk is the following:
risk = probability x impact
The cause of confusion with Threats and Risks is that most people use both terms interchangeably a substitute for scenarios, without understanding the difference, e.g.:
> We need to protect against these risks.
> We need to protect against these threats.
…which are both the same as…
> We need to protect against these scenarios.
It’s true that both refer to scenarios: the difference is that a Threat is a negative event by itself, where a Risk is the negative event combined with its probability and its impact.
- A Threat is a negative scenario you want to avoid
- A Threat Actor is the agent that makes a Threat happen
- A Vulnerability is a weakness that can be exploited in order to attack you
- A Risk is a negative scenario you want to avoid, combined with its probability and its impact
- The difference between a Threat and a Risk is that a Threat is a negative event by itself, where a Risk is the negative event combined with its probability and its impact
- If you have any suggested tweaks to this language, I’d enjoy hearing them.
- There are other terms associate with Threat Modeling as well, such as Assets, but they are generally well-understood.
- t’s generally a sign of maturity in an organization if they consider nature-based threats such as flood and fire in addition to human-based scenarios.