1.4.1. Assets, Threats, Vulnerabilities, and Risk
💡 First Principle: Risk only exists at the intersection of three factors: something worth protecting (asset), something that can harm it (threat), and a weakness that enables the harm (vulnerability). Remove any one factor and the risk disappears.
Asset: Anything of value to the organization that needs protection. Assets can be tangible (hardware, facilities) or intangible (data, intellectual property, reputation). Assets have value — the more valuable the asset, the higher the potential impact if harmed.
Threat: A potential cause of harm to an asset. Threats can be natural (earthquake, flood), human-accidental (user error, misconfiguration), or human-intentional (attacker, insider threat). Threat actors have motivation, capability, and opportunity — all three must exist for a threat to be realized.
Vulnerability: A weakness in a system, process, or control that a threat can exploit. Vulnerabilities have likelihood of exploitation — determined by how exposed the vulnerability is, how well-known it is, and whether exploit tools exist.
Risk: The intersection of threat, vulnerability, and asset value. The formal relationship:
Risk = Threat × Vulnerability × Asset Value
OR (simplified)
Risk = Likelihood of Harm × Impact of Harm
| Term | Definition | Example |
|---|---|---|
| Asset | Something of value requiring protection | Customer database containing 2M PII records |
| Threat | Agent or event that can cause harm | Ransomware-as-a-Service criminal syndicate |
| Vulnerability | Weakness enabling the threat | Unpatched SMB service, weak backup controls |
| Likelihood | Probability of threat exploiting vulnerability | High (active ransomware campaigns targeting healthcare) |
| Impact | Harm if threat is realized | $4M ransom + $12M operational downtime + $8M regulatory fines |
| Risk | Combined exposure | Very High — immediate treatment required |
| Residual Risk | Remaining risk after controls applied | Medium — after EDR, backup hardening, and network segmentation |
⚠️ Exam Trap: "Exposure" is the degree to which an asset is subject to a threat. High exposure (internet-facing server) doesn't automatically mean high risk — if the asset is low-value and the threat has low capability, risk may be manageable. Always think in terms of the intersection.
Reflection Question: A company runs an outdated version of a web framework with a known SQL injection vulnerability on a development server not accessible from the internet and containing no real data. What is the risk level, and what factors justify your assessment?
