What’s the difference between risk and threat?
It’s a simple question about two very common terms we use in the security industry, but one that more people need to ask themselves. And as a result of not doing so, too many security professionals end up using risk and threat (and occasionally, vulnerability too) interchangeably. This is why you end up with risk management specialists providing threat assessments, alongside threat management professionals providing risk assessments. Confused yet? If not, which do you think is better: risk management strategies for threat mitigation, or threat management strategies for risk mitigation?
I can keep going, but I think you get the point. So let’s try to sort through this mess.
The place to start is by understanding the proper definitions of the terms we use. Now, there are different sources that can give you different definitions, but the source I’ve stuck to for some years now (and the one I’d recommend) is the US government—the Department of Homeland Security, to be exact.
Threat: Natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property.
Risk: Potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.
And just for good measure:
Vulnerability: Physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard.
To put things in even simpler terms: Threat is the potential harm that can come to an asset (the thing you’re trying to protect). Risk is the likelihood that the harm will be realized. And vulnerability is the weakness by which the harm can reach the asset.
From my own perspective, the most important thing to calculate and assess is risk, not threat. Yes, we can talk about levels of threat (and agree that, say, a truck-bomb has more destructive power than a hand grenade), but what we really want to know is how likely we are to encounter each of them, i.e. risk. A threat assessment should tell you if an earthquake will be more destructive than an armed attacker. A risk assessment should tell you how likely it is for your assets to be harmed by said threats.
A good way to understand the dynamic here is to use the formula:
Threat + Vulnerability = Risk to Asset.
The risk to an asset is calculated as the combination of threats and vulnerabilities. This means that in some situations, though threats may exist, if there are no vulnerabilities then there is little to no risk. Conversely, you can have a vulnerability, but if there’s no threat, then you also have little to no risk. Either way, the most important factor we’re trying to calculate, manage and control is risk.
Another important thing to consider is what happens when we inject into the mix the all too familiar term (at least for security professionals) of Mitigation—the action of reducing the severity, seriousness, or painfulness of something. To mitigate a risk is to target the probability of a threat being realized, which is to say that you make it less likely to happen. This is pretty much the definition of preventive measures, and is where you’ll find property and access control, Circles of Security, deterrence by appearance, visual control, EP advance work, protective intelligence and surveillance detection.
To mitigate a threat, on the other hand, is to combat the active harm itself, which is the definition of reactive or counter-measures. This is where you’ll find emergency procedures (evacuation, shelter in place, run-hide-fight), apprehension and arrest, along with full-on armed response (eliminating the threat).
Now, keep in mind that there are no right or wrong strategies here, it’s just a question of fitting your mitigating actions to the situation and to your defined goals. But anyone who’s been following this blog will know that I happen to live deeply within the realm of risk mitigation, and therefore have my own biases in favor of it.
I hope this article clarified some of the terms that get tossed around out there. But keep in mind that the actual bottom line is the work itself, and the safety, security and wellbeing of everyone involved.
As always, if you beg to differ with me on anything I’ve said, I’d be most grateful for your comments, questions and suggestions.
Get my book, Surveillance Zone now!
Go behind the scenes of corporate surveillance detection & covert special operations. Get a first-person account of actual covert operations I’ve participated in. Learn the secrets of the trade and discover a hidden world that’s all around you.