Educause Security Discussion mailing list archives
Re: Vulnerability vs. Risk Assessments
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 4 Nov 2009 22:14:40 -0500
On Wed, 04 Nov 2009 19:03:01 MST, Chris Kidd said:
I'm having a hard time articulating the difference between these two types of assessments, so I'm hoping someone can clearly define them.
It's pretty clear the difference between a vulnerability assessment and a risk assessment, once you get vulnerability and risk straight. Vulnerability: Can some miscreant find a way to do XYZ to you? Risk: How many miscreants are likely to *actually* do so, and how screwed are you if it happens? A system can be both highly vulnerable (for instance, a stand-alone kiosk with known buggy software that is known to crash if somebody hits the shift and control keys at the same time), but be low-risk (power cycle the kiosk and reboot from the read-only CD, no major loss suffered). A system can be not very vulnerable (a heavily firewalled and hardened server in a high-security area) but still be high-risk (if that sensitive data escapes, we *will* suffer $10M in damage and losses). That help?
Attachment:
_bin
Description:
Current thread:
- Vulnerability vs. Risk Assessments Chris Kidd (Nov 04)
- <Possible follow-ups>
- Re: Vulnerability vs. Risk Assessments St Clair, Jim (Nov 04)
- Re: Vulnerability vs. Risk Assessments Mike Waller (Nov 04)
- Re: Vulnerability vs. Risk Assessments Valdis Kletnieks (Nov 04)
- Re: Vulnerability vs. Risk Assessments Gary Dobbins (Nov 04)
- Re: Vulnerability vs. Risk Assessments John Ladwig (Nov 04)
- Re: Vulnerability vs. Risk Assessments Gary Dobbins (Nov 05)
- Re: Vulnerability vs. Risk Assessments Flynn, Gerald (Nov 05)
- Re: Vulnerability vs. Risk Assessments Scott Koger (Nov 05)
- Re: Vulnerability vs. Risk Assessments Eric Case (Nov 05)
- Re: Vulnerability vs. Risk Assessments Chris Vakhordjian (Nov 05)
- Re: Vulnerability vs. Risk Assessments Brad Judy (Nov 05)
- Re: Vulnerability vs. Risk Assessments Valerie Vogel (Nov 05)
- Re: Vulnerability vs. Risk Assessments Basgen, Brian (Nov 05)
(Thread continues...)