Not all Threats are Vulnerabilities

Aug 6, 2018 | Assessments

What is a vulnerability?

When looking for vulnerabilities don’t consider technical threats as the only threats to the system.  Your security should include some attention to all threats.

A system vulnerability is defined as a weakness to the system.  For example, an outdated application could have an associated exploit that could allow an attacker to gain access to the system.  Is that a threat?  You bet.  However, threats continue beyond the technical components of the system.  For example, an earthquake could wreck a security closet in the basement of an old building.  Is that a threat?  You bet (again).  However, is it a weakness in the system?  Not by design. Threats are defined as anything that could potentially impact business operations including functions or reputation.  According to the National Institute of Standards and Technology (NIST), there are four sources of threats.

Types of Threats

The first threat source is one we already know; hostile cyber or physical attacks. These are individuals, organizations or even states that seek to harm another entity.  These threats are usually targeted and with intent.

The second threat source is human errors of omission or commission.  These are one of the best sources of entry into a system. The human error is often a result of not paying attention.  Accidental or misconfigurations and responding to phishing emails are good examples.  However, errors can also be deliberate and with intent such as setting up a personal Wi-Fi connection inside the corporate network to by-pass services (such as multimedia, social media, or games) that would otherwise be blocked by corporate policy.

The third threat source is structural failures of organization-controlled resources (e.g., hardware, software, environmental controls). These are failures beyond our control.  Hardware failures are easier to spot than software failures.  The aging software may lose its capacity to work correctly when the operating systems are kept up to date or when new peripherals have replaced the old ones.  Environmental controls can also affect performance.  For example, server rooms should have adequate ventilation or separate air conditions to prevent overheating.

The fourth threat source is natural and man-made disasters, accidents, and failures beyond the control of the organization. Storms, flood, and other natural disasters are outside the control of the organization.  And yet, the risk associated with this potential threat could have a very real impact on the business performance.  A man-made disaster includes sabotage, electrical or water outage, and sadly now, even an active gunman. Preparing for these disasters requires a disaster response (DR) plan and a continuance of operations plan (COOP).


Duffy Compliance Services, LLC (DCS) is a focused cybersecurity company that determines the effectiveness of your system security.  By assessing and managing the vulnerabilities of your system, DCS can offer a detailed view of the real threats and a proper remediation plan that directly prioritizes your efforts to fix those threats.

As subject matter experts, we know that the best way to protect your business is to use knowledgeable and experienced professionals.  Knowing what to look for and where threats may exist is critical to providing the most effective security controls. Our assessments are often eye-opening by revealing system threats that are not obvious to untrained security practitioners.

Give us a call.  We will even provide you with a preliminary checklist without obligation.

Duffy Consulting Services, LLC
Cybersecurity Consultants and Analysts
Office: (301) 865-0345

Subscribe to Our Monthly Newsletter

Free education for cybersecurity.


Your personal information will not be shared and you are able to unsubscribe at any time.