I like to believe that one of my skills is distilling complex technical concepts into something more consumable. At the risk of indulging in hubris, I like to believe I’m pretty good at it.
Now, this is a skill I use on my children all the time. So perhaps it shouldn’t have been such a surprise when I recently ended up on the receiving end of this skill.
We were discussing risk versus threat with our youngest, and I asked him to explain the two concepts to me. He did not hesitate when he provided his perspective:
“Risk is something you accept to take; a threat is something that comes from someone or something else.”
Well, that ended the conversation because while he left out the relationship between risk and threat, he wasn’t wrong. As I think about security today and the need for organizations to better understand the difference between threat and risk, his explanation came up because, as it turns out, he's only mostly right.
Today the risks of a presence on the Internet are much the same as they have been since the 20th century. The risk of a breach is still the exfiltration of data, disruption of services, poisoning of the well with trojans, backdoors, and malware, and today, the possibility of losing access to ransomware.
The risk of these events is something every business accepts to take. It’s the entry fee to doing business on the Internet, of becoming a digital business.
Threats generally come from outside. Attacks threaten to increase the risk of a breach all the time. They ebb and flow, of course, often following disclosure of a new vulnerability or technique that opens a window of opportunity for bad actors to exploit.
Today, with many more users demanding remote access, the threat from outside is definitely growing.
.svg)
