CHAPTER 6 Threats and Vulnerabilities


After the initial chapters that provided an overview of the risk landscape, in Chapter 4, we took an initial look at the components of the information security landscape – assets, threats, vulnerabilities, and controls. We then began a deeper look at these components. In Chapter 5, we looked at assets, including asset types, their classifications, and characterizations.

In this chapter, we will take a close look at threats. At the end of this chapter, you should have a clear understanding of the different aspects of threats including:

  • Threat models, integrating the components of a threat
  • The forces that could act upon an asset (agents)
  • The methods by which these agents could affect an asset (actions)
  • Vulnerabilities and their relevance to threats


We have defined threats as the capabilities, intentions, and attack methods of adversaries to exploit or cause harm to assets. This is consistent with the NIST 800-30 definition of a threat as “any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/or denial of service.”1 Once the organization has identified and characterized its assets, the next step in the analysis of its information security requirements is an analysis of the threats faced by the organization. We saw ...

Get Information Security and IT Risk Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.