InfoSec Risks, Threats, Vulnerabilities & Countermeasures

When discussing infosec, confusion in terminology is a common issue. It’s important to be clear on the terms used in this conversation. This article will take a closer look at infosec risks, threats, vulnerabilities and countermeasures. It will also briefly discuss the well-known formula used to describe these concepts.


One way to think of risks is the possibility for a problem to arise. Essentially, risk is the potential for realization of an unwanted negative consequence, but they are not problems in and of themselves. According to SANS,

“Thinking about risks as ‘potential problems’ sets the stage for the manager or analysis team to make decisions to avoid such problems. If a risk has become a problem, it is too late for mitigation. Action is warranted right away for problems. If risk management has been successful, that action has been planned, rehearsed and budgeted.”

It’s common to see the terms threat, attack and vulnerability being interchanged and used incorrectly. Basic definitions of these concepts are provided below, as defined in Gregory’s CISSP Guide to Security Essentials:

  • Threat – the expressed potential for the occurrence of a harmful event such as an attack
  • Attack – an action taken against a target with the intention of doing harm
  • Vulnerability – a weakness that makes targets susceptible to an attack


Security controls are also referred to as technical or administrative safeguards, or countermeasures. The goal of countermeasures are to counteract, or minimize loss of unavailability as a result of threats acting on their associated vulnerability. The GAO describes this as,

“The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; and the way management assigns authority and organizes and develops its people.”

There are four basic types of countermeasures:

  • Preventative – These work by keeping something from happening in the first place. Examples of this include: security awareness training, firewall, anti-virus, security guard and IPS.
  • Reactive – Reactive countermeasures come into effect only after an event has already occurred.
  • Detective – Examples of detective counter measures include: system monitoring, IDS, anti-virus, motion detectors and IPS.
  • Administrative – These controls are the process of developing and ensuring compliance with policy and procedures. These use policy to protect an asset.

Risk/Threats/Vulnerabilities Formula

We’ve all seen the information security risk analysis formula, which suggests that:

Risks = Threats X Vulnerabilities X Impact

Certain versions of this formula might substitute ‘consequence’ for ‘impact’ though the concept is essentially the same. Some security practitioners argue that this equation does not make sense mathematically, nor is it applicable to the practice of infosec. Instead, it has its roots in decision theory, particularly in expected utility/value theory.

The expected utility or value of an action may be thought of as a weighted average. It can be determined by defining a set of mutually exclusive and jointly exhaustive possible outcomes from a particular course of action, then multiplying the probability of each possible outcome by its utility. The formula is clear and mathematically rigorous.

By contrast, the ‘Risks = Threats X Vulnerabilities X Impact’ formula referred to above is unclear and mathematically incoherent. It is impossible to include these concepts into a mathematical formula. One simple question is: what are the units of measurement for threats and vulnerabilities? Or, what is the range of possible values for vulnerabilities?

In addition, the ‘Risks = Threats X Vulnerabilities X Impact’ formula fails to take into account all of the possible outcomes of a particular action. It focuses solely on security threats, and can only calculate for a single security threat at a time.

Perhaps the formula is not meant to be used as a mathematical formula, but rather as an informal way of stating that security risks is a function of threats, vulnerabilities and potential impact or consequence. In that case, the formula could use a revision for clarity’s sake.


This article takes a closer look at infosec risks, threats, attacks, vulnerabilities and countermeasures/security controls. It differentiates between the concepts and provides industry-standard definitions for each. The article also explores four basic categories of countermeasures/security controls: preventative, reactive, detective and administrative. Finally, the article examines the ‘Risks = Threats X Vulnerabilities X Impact’ formula from a critical perspective.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

  • Information Security threats and vulnerabilities (II.A.d.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>