From the course: Building an Effective Cybersecurity Program for Your Startup

Threats, vulnerabilities, and risks

- [Instructor] In cybersecurity, just as with any other area of your business, language is important. In order to strike the right balance when managing cybersecurity risks, it helps to use the right words. There are three terms that will come up frequently in your cybersecurity discussions: threats, vulnerabilities and risks. While these concepts are closely related, each term has a specific meaning. Threats are the bad things that could happen that might have a negative impact on your startup. Consider a data breach as an example. Every startup that stores sensitive information, ranging from customer data to intellectual property, is under constant threat of that data ending up in the wrong hands. Many cybersecurity professionals use the term threat actor when referring to a person responsible for harming your startup. In the case of a data breach, the threat actor might be a member of a criminal organization, or it could be a former employee who's angry about the way their relationship ended with your company. But threats aren't limited to human threat actors. You're also living with the threat that something could accidentally happen to your database, destroying the data that your startup depends on to survive. Vulnerabilities are the weaknesses that leave your startup exposed to threats. In the cybersecurity space, those weaknesses are often technical in nature. Maybe it's a missing security patch that allows a cyber criminal to bypass your defenses and steal your data. Or maybe it's an outdated piece of hardware that finally fails, a piece of hardware that frankly should have been upgraded months ago. But the biggest cybersecurity vulnerability in many organizations is the lack of cybersecurity training and education for your employees. Criminals often seek the easiest path to their goal. As it turns out, tricking an employee to click on a link in an email is much easier than attacking your servers or your applications directly. Risk is your startup's exposure to threats and vulnerabilities. More importantly, it's how you measure that exposure so you can prioritize your defenses accordingly. When you measure risks, you can plan and prioritize your response to those risks. And if you have an idea of how bad the impact might be, you can make a well-informed decision regarding how much time and money you should spend to address that risk. Many cybersecurity professionals use a simple calculation to measure risk: risk equals likelihood times impact. Likelihood is a measurement of how often a bad thing might happen, how often a threat actor might successfully attack your startup. Impact is a measurement of the damage that threat actor would do if they were successful. When you first start measuring risks, you might try a three-tier scale for likelihood and impact, something like low, medium, and high. You might also assign a number to each tier, like low equals one, medium equals three, and high equals five. If the likelihood of an attacker being successful is high but the damage is low, then the score would be five times one, or five. But if the likelihood of success is high and the potential damage is high, the score would be five times five, or 25. Since 25 is higher than five, maybe you should focus on the risk that scored a 25 first. It sounds simple, I know, but it's a quick way. to stop trying to do everything all at once and shift your attention to the things that matter most. Cybersecurity threats will always be there, whether you like it or not, and threat actors are going to try to exploit vulnerabilities that put your startup at risk. But as you start speaking in terms of threats, vulnerabilities, and risks, you'll be able to prioritize your defenses in a way that keeps the threat actors at bay while enabling your startup to continue moving forward.

Contents