Vulnerability, Control, and Risk are not same

As Pentester, auditor, or risk assessor, it is important to understand difference between vulnerability, control, and risk. For example,

'Lack of lock on door' is not a risk.

The risk is ‘potential burglary and loss of valuables due to lack of lock at the door’.

Notice the sentence involves 3 things -
Vulnerability - lack of lock on door.
Threat - potential burglary.
Impact - loss of valuables.

Lack of a control is only half-risk, the other half comes from impact (what is the effect of 'lack of lock on the door') combined with the context (the asset, any other factors, etc.). Whether it is a vulnerability, or a risk is determined by the context. 'Lack of lock on the door' is a valid vulnerability or not, depending on the context. It is NOT a valid risk, an incomplete part of a potentially valid risk, maybe.It is lack of control and a vulnerability. But it is not the risk.

Articulating risk in your findings always makes higher impact than vulnerability on the person who reads your report because it doesn’t need them to think (about ‘what happens if I don’t fix this vulnerability’).

People appreciate those who save their time by not making them think; one way to do so is by giving them a succinct picture. Of course, that has perversely led to ppl tooting their horn at all times… 😄

[Originally published on LinkedIn as a post]

At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.

‎Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r