Skip to main content

Understanding Risks, Vulnerabilities and Threats

In our system, adding a Threat to Risk does not automatically mean that all Vulnerabilities exploited by the Threat are associated with the Risk.  The following graphic breaks down the overall process for associating Risks, Threats, Vulnerabilities and Assets in ControlMap:


Detailing The Process


Let's consider THT-1: Phishing as an example.


An actor using THT-1:Phishing can exploit the following vulnerabilities:


1. VUL-1: Lack of awareness training 

2. VUL-2:  Weak authentication or lack of 2FA

3. VUL-3:  Lack of firewall 


For effective risk management and assessment, you must create a separate Risk for each combination of Threat and Vulnerability. 


Why? Because each combination of threat and vulnerability has a different impact, mitigation, and treatment option. Additionally, various departments or employees in your organization may be responsible for mitigating these risks.  Mitigating a firewall issue is very different from mitigating an awareness training issue.


For example, you create a risk called:


RSK-1: Risk of untrained employees falling prey to social engineering. 


Then the following combination of threat + vulnerability applies:

Threat -> THT-1: Phishing 

Vulnerability -> VUL-1: Lack of training 


In the case above, if you expect all vulnerabilities linked to THT-1 to show for RSK-1 automatically, it will be misleading.  For example, VUL-3: Lack of the firewall will not be the right vulnerability for RSK-1.