Risk Vs Threat
2008-06-07 10:50
155 查看
What is the difference between risk and threat? have you ever thought it through?
Visit the Symantec security response website (http://www.symantec.com/business/security_response/index.jsp), you will find that Symantec devided the security iusses into three major categories, threat, risk, and vulnerabilities (即威胁,风险和脆弱性).
The website does not explain what is threat obviously, but we can find the answer in the threats tab threat exploer (http://www.symantec.com/business/security_response/threatexplorer/threats.jsp), the threat include Virus, Worm, Trojan, Rootkit, Exploit, etc.
And we can get a list of risk from the risks tab of the threat explorer, Spyware, Adware, Dialers, Hack Tools, Joke Programs, Remote Access program, etc.
I am wondering what is the criteria for Symantec to devide the security issues into three categories, the vulnerabilities is easy to recognize, but what is the difference between threat and risk?
I searched the keyword "threat vs risk" in the google search engine, got some useful information.
An article named "Risk Versus Threat" (csdl.computer.org/comp/mags/co/2003/02/r2005.pdf) discourse the difference deeply, and the views of author sounds reasonable.
Risk is based on the possibility of a financial loss only. Nothing else is required. In the end, for any event, there will be a resulting cost,
no matter how large or small.
A threat includes events in which an actor engages in a behavior intended to cause a minimum loss. Any such loss must, by definition, be measurable or quantifiable.
Another article named "Talking Shop: The difference between threat and risk" (http://articles.techrepublic.com.com/5100-10878_11-5134882.html) says:
Assessing danger: threat vs. risk
Much later, I realized that this experience represented my first professional exposure to a conflict and understood how it shaped my career. At the time, I worried about the technical and procedural aspects of resolving the "security need." Later, I explored the ramifications of a proper security procedure. Eventually, I saw the basic conflict at the heart of the issue: the determination of risk rather than threat.
We feel threatened. Threat appears as we move though our lives. We pick up these feelings from news, from thinking about problems that might arise, and even from talking to other people. As human beings, we use whatever means is at our disposal to deal with threats.
We also assess risk. In order to do so, we must first define the threats that loom around us. We then come to grips with their probability and potential impact. Based on this assessment, we then formulate strategies (procedural or technical) to deal with them.
Risks have two basic values: probability and potential impact. These values combine to create the risk's severity, the reasoned measure of how much danger a risk presents. Probability measures the likelihood of the risk's occurrence throughout the life of the project. I personally use a percentage chance; other consultants I know prefer to measure probability in terms of likelihood-per-given-day (i.e., strict probability based on a logarithmic scale). Potential impact measures the damage a risk inflicts should it occur. As with priority, we generally concern ourselves with actual dollar impacts rather than secondary effects.
I think all of these viewpoint are right, different criteria and terms for different purpose.
In a word, we feel threat, and we assess risk, risk have two basic values: probability and potential impact.
Visit the Symantec security response website (http://www.symantec.com/business/security_response/index.jsp), you will find that Symantec devided the security iusses into three major categories, threat, risk, and vulnerabilities (即威胁,风险和脆弱性).
The website does not explain what is threat obviously, but we can find the answer in the threats tab threat exploer (http://www.symantec.com/business/security_response/threatexplorer/threats.jsp), the threat include Virus, Worm, Trojan, Rootkit, Exploit, etc.
And we can get a list of risk from the risks tab of the threat explorer, Spyware, Adware, Dialers, Hack Tools, Joke Programs, Remote Access program, etc.
I am wondering what is the criteria for Symantec to devide the security issues into three categories, the vulnerabilities is easy to recognize, but what is the difference between threat and risk?
I searched the keyword "threat vs risk" in the google search engine, got some useful information.
An article named "Risk Versus Threat" (csdl.computer.org/comp/mags/co/2003/02/r2005.pdf) discourse the difference deeply, and the views of author sounds reasonable.
Risk is based on the possibility of a financial loss only. Nothing else is required. In the end, for any event, there will be a resulting cost,
no matter how large or small.
A threat includes events in which an actor engages in a behavior intended to cause a minimum loss. Any such loss must, by definition, be measurable or quantifiable.
Another article named "Talking Shop: The difference between threat and risk" (http://articles.techrepublic.com.com/5100-10878_11-5134882.html) says:
Assessing danger: threat vs. risk
Much later, I realized that this experience represented my first professional exposure to a conflict and understood how it shaped my career. At the time, I worried about the technical and procedural aspects of resolving the "security need." Later, I explored the ramifications of a proper security procedure. Eventually, I saw the basic conflict at the heart of the issue: the determination of risk rather than threat.
We feel threatened. Threat appears as we move though our lives. We pick up these feelings from news, from thinking about problems that might arise, and even from talking to other people. As human beings, we use whatever means is at our disposal to deal with threats.
We also assess risk. In order to do so, we must first define the threats that loom around us. We then come to grips with their probability and potential impact. Based on this assessment, we then formulate strategies (procedural or technical) to deal with them.
Risks have two basic values: probability and potential impact. These values combine to create the risk's severity, the reasoned measure of how much danger a risk presents. Probability measures the likelihood of the risk's occurrence throughout the life of the project. I personally use a percentage chance; other consultants I know prefer to measure probability in terms of likelihood-per-given-day (i.e., strict probability based on a logarithmic scale). Potential impact measures the damage a risk inflicts should it occur. As with priority, we generally concern ourselves with actual dollar impacts rather than secondary effects.
I think all of these viewpoint are right, different criteria and terms for different purpose.
In a word, we feel threat, and we assess risk, risk have two basic values: probability and potential impact.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Threat Intelligence-Driven Risk Analysis
- Risk, Threat, Vulnerability
- codevs 1044 拦截导弹 1999年NOIP全国联赛提高组
- vs 2005 中TreeView 控件checkbox 的回发事件
- Visual_Assist_X_10.7.1916.0_Patch For VS2012 注册方法
- VS2013 Error LNK2011简易解决方案
- VS+opencv鼠标移动图片
- VS2005批处理顺序编译解决方案
- 【转】Strategy VS Mixin
- InfoCubes VS VirtualProviders
- 糖果传奇vs.水果忍者!工作室成功背后的21款工具
- VS2013 TeeChart控件使用方法
- [codeVS1917] 深海机器人问题(费用流,拆边)
- VS.net 安装、调试的常见问题与错误
- VS2010有自带的数据对比功能
- VELT-0.1.6开发:在VS2013下用QEMU调试x86 Linux内核
- 白话解释 对称加密算法 VS 非对称加密算法 OSI模型,TLS/SSL 及 HTTPS
- C# 关于在vs 2013中的单元测试和页面测试(LTAF)
- 名师出高徒,VS 2005 调试心得。个人信息管理页面(部分)