Risk Management Terms
Asset
An asset is something in need of protection.
- Can include data, systems, infrastructure, hardware, software, or personnel
- Loss or compromise of an asset may impact operations, finances, or reputation
Vulnerability
Gap or weakness in protecting valuable assets, including information.
- Can result from misconfigurations, outdated systems, or lack of security controls
- Exploitable by threat actors to gain unauthorized access or cause damage
- Example: IT environment vulnerable to flooding during a major storm
Threat
A potential danger that exploits a vulnerability to cause harm to assets.
- Can be intentional (e.g. hacker) or unintentional (e.g. natural disaster)
- Example: Natural disaster threatens utility power supply, impacts IT asset availability
Harm by Exploitation:
- Exploiting a vulnerability allows threats to harm assets
- Example: Storm cutting off power, rendering IT components unusable
Mitigation and Risk Evaluation:
- Evaluate event likelihood and take actions to reduce risk
- Example: Assessing storm risk and implementing backup power systems
Threat Actor
An individual or a group posing a threat (according to NIST SP 800-150 under Threat Actor).
- Can include hackers, insiders, criminal groups, or nation-state actors
- Motivations vary: financial gain, espionage, disruption, or activism
- For more information, please see Cyber Threat and Attacks.
Threat Vector
Threat Vectors are means by which a threat actor carries out their objectives.
- Phishing emails
- Malicious websites
- Unsecured APIs
- Insider misuse
Attacker
An Attacker is always an individual, but a Threat Actor can be either a group or an entity.
- Attackers use threat vectors to exploit vulnerabilities and compromise systems
- Can act independently or as part of a larger organization
Attack Vectors
Pathways used to gain unauthorized access to systems or data.
- Weak configurations
- Open firewall ports
- Lack of user security awareness
- Lack of MFA
- Missing patches
- Infected USB drives
Supply-Chain Attacks
Target weaknesses in external vendors or partners involved in service delivery.
- Attackers may compromise third-party tools or code to infiltrate your system
- Examples: Manufacturers, contractors, outsourced personnel
As owners of the contractual agreement, we have the right to audit the third-party systems any time to make sure they're compliant with standards and regulations.
Likelihood
Likelihood of Occurrence
This refers to how likely it is that a threat will successfully exploit a vulnerability.
- It is usually estimated based on past incidents, known threats, and system weaknesses
- Often categorized as Low, Medium, or High probability
- Helps prioritize risks by weighing the chances of a real event occurring
Impact Assessment
Impact is the potential damage or consequences resulting from a successful exploit.
- Includes data loss, financial damage, reputation harm, or service disruption
- May vary depending on the type of system affected and the sensitivity of the data
- Assessment INCLUDES *direct consequences (e.g., system outage) and *indirect effects (e.g., customer trust loss)
Shadow IT
Shadow IT refers to the use of software, hardware, or services by employees without approval from the IT or security teams.
- Can lead to security risks, data leaks, and compliance violations
- Managed through clear policies, monitoring tools, and staff awareness
State Actor
A state actor is an individual or group working on behalf of a government to carry out cyber operations.
- Backed by strong resources and expertise to launch advanced attacks
- Often target sensitive sectors like government, defense, and critical services
To defend against state actors, organizations need strong cybersecurity measures, real-time threat intelligence, and international cooperation.
Advanced Persistent Threat
An Advanced Persistent Threat (APT) is a sophisticated and stealthy cyber attack, usually conducted by organized groups that are often linked to nation-states.
- They focus on maintaining long-term access to a target's network.
- APTs often aim to gather intelligence, steal data, or disrupt operations.
- For more information, please see APTs.
Advanced Tactics, Techniques, and Procedures
Advanced Tactics, Techniques, and Procedures (TTP) describe the behaviors and methods used by threat actors in cyber attacks.
| Term | Description |
|---|---|
| Tactics | High-level goals or strategies that threat actors aim to achieve. |
| Techniques | Specific methods or approaches attackers use to execute a tactic. |
| Procedures | Detailed steps or sequences used to carry out techniques consistently. |