Threats are generally considered to be part of the overall security environment. A list of possible threats might be considered to be the same for all organizations operating in that environment. Vulnerability, on the other hand, will differ for each organization, and can be influenced directly from within each organization. Considered together, external threat and internal vulnerability can provide the basis for understanding an organization’s overall risk.
A theoretical formula for thinking about risk is:
Threat x Vulnerability = Risk
This simple equation means that risk is based both on the actual threats you face as well as your vulnerability to those threats. Consider the threat of being hit by a thrown stone while driving down a rural road. If the road is on an uninhabited island, and there is no one to throw rocks at you, the threat is zero, and even if your vulnerability is high (for example you drive very slowly, with the windows open, radio going, while laughing and joking about the poor skills of the local marksmen) you still have no risk of being hit. On the other hand, imagine that there is indeed a troublemaker waiting in ambush with a rock, but this time you have decided to drive in a fully armored military tank. In this case your risk is still zero, because even if the rock is thrown it cannot hurt you in your well protected vehicle. In other words, your vulnerability is now zero, so again your risk is zero.
Once the local threats and your vulnerability to them have been identified, the next step in the threat assessment process is to evaluate both their impact and likelihood.
Impact is the measure or estimate of how much damage you will suffer if the potential threat were actually to occur.
Likelihood is the measure or estimate of how probable it is that the event will happen.
Once an assessment has been made regarding the impact and likelihood of the threats you face, these two factors can be graphed together to gain a useful understanding of the threats that will then allow you to prioritize the actions you can take to reduce your risk arising from these threats. This process and the tools for plotting and analyzing risk using impact and likelihood are described in greater detail in module 7 – Risk Assessment and the Risk Matrix.