What’s the difference between risk and threat?
It’s a simple question about two very common terms we use in the security industry, but one that more people need to ask themselves. And as a result of not doing so, too many security professionals end up using risk and threat (and occasionally, vulnerability too) interchangeably. This is why you end up with risk management specialists providing threat assessments, alongside threat management professionals providing risk assessments. Confused yet? If not, which do you think is better: risk management strategies for threat mitigation, or threat management strategies for risk mitigation?
I can keep going, but I think you get the point. So let’s try to sort through this mess.
The place to start is by understanding the proper definitions of the terms we use. Now, there are different sources that can give you different definitions, but the source I’ve stuck to for some years now (and the one I’d recommend) is the US government—the Department of Homeland Security, to be exact.
Threat: Natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property.
Risk: Potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.
And just for good measure:
Vulnerability: Physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard.
To put things in even simpler terms: Threat is the potential harm that can come to an asset (the thing you’re trying to protect). Risk is the likelihood that the harm will be realized. And vulnerability is the weakness by which the harm can reach the asset.
From my own perspective, the most important thing to calculate and assess is risk, not threat. Yes, we can talk about levels of threat (and agree that, say, a truck-bomb has more destructive power than a hand grenade), but what we really want to know is how likely we are to encounter each of them, i.e. risk. A threat assessment should tell you if an earthquake will be more destructive than an armed attacker. A risk assessment should tell you how likely it is for your assets to be harmed by said threats.
A good way to understand the dynamic here is to use the formula:
Threat + Vulnerability = Risk to Asset.
The risk to an asset is calculated as the combination of threats and vulnerabilities. This means that in some situations, though threats may exist, if there are no vulnerabilities then there is little to no risk. Conversely, you can have a vulnerability, but if there’s no threat, then you also have little to no risk. Either way, the most important factor we’re trying to calculate, manage and control is risk.
Another important thing to consider is what happens when we inject into the mix the all too familiar term (at least for security professionals) of Mitigation—the action of reducing the severity, seriousness, or painfulness of something. To mitigate a risk is to target the probability of a threat being realized, which is to say that you make it less likely to happen. This is pretty much the definition of preventive measures, and is where you’ll find property and access control, Circles of Security, deterrence by appearance, visual control, EP advance work, protective intelligence and surveillance detection.
To mitigate a threat, on the other hand, is to combat the active harm itself, which is the definition of reactive or counter-measures. This is where you’ll find emergency procedures (evacuation, shelter in place, run-hide-fight), apprehension and arrest, along with full-on armed response (eliminating the threat).
Now, keep in mind that there are no right or wrong strategies here, it’s just a question of fitting your mitigating actions to the situation and to your defined goals. But anyone who’s been following this blog will know that I happen to live deeply within the realm of risk mitigation, and therefore have my own biases in favor of it.
I hope this article clarified some of the terms that get tossed around out there. But keep in mind that the actual bottom line is the work itself, and the safety, security and wellbeing of everyone involved.
As always, if you beg to differ with me on anything I’ve said, I’d be most grateful for your comments, questions and suggestions.
Learn more about this subject—and many others—in my master class on Hostile Activity Prevention.
Utilizing Israeli know-how and delivered by me, Ami Toben, this online course teaches actionable, time-tested methods of prevention, detection and disruption of hostile attacks.
Ami,
While I agree that entirely too many security professionals do not understand the difference between the common vernacular, such as threat and risk, our opinions diverge at the definition of risk.
The Bottom line up front is that you cannot determine risk with out the measurement of consequence (Degree of impact, call it what you will).
Every project we work on, we start by identifying the Risk Profile for the client asset(s) and ask: What do I have to protect? What do I have to protect it from? And What do I have to protect it with?” So the 3 factors of risk are : #1. Consequence #2, Threat and #3, Vulnerability. The math for the quantitative analysis (as required by DHS) looks like this: R=CxTxV. The product of Threat x Vulnerability only gives you likelihood of a successful event. The definition you provide in your article even addresses the factor of consequence. Adding the consequence to the likelihood gives you the actual Risk. Some security professionals overlook consequence as most DHS security programs establish a baseline for consequence prior to including an asset in the program. As security risk management purists, when working outside of DHS programs, we must include all three factors.
A simple example shows two identical banks with identical vaults and a common threat. If vault #1 has $25 million and vault #2 has $1 million. Risk based decision making tells us that the risk of vault #1 is much higher.
Thank you for that very thoughtful comment, Ed.
Going by the DHS definitions, I think the idea of consequence (degree of impact) is, to the extent we can calculate it beforehand, a part of threat.
Keep in mind that in the definition of threat, we work with the word “potential” because we’re looking ahead at what COULD happen , i.e. consequence. But since it hasn’t yet happened, it’s still in the realm of a potential. The only way to calculate actual consequence is by retrospectively looking at past case studies.
Actual consequences are in the past.
Potential consequences are in the future.
As for the example with the two banks, what you’re referring to here is the size/importance of the asset, not the risk.
Ami, I suspect this is a never ending topic of discussion between threat and risk and the different methodologies and schools of thought that are out there. I happen to agree with your position, entirely, and I believe that approach is consistent with ASIS’ Risk Management Standards as well as ISO 31000. I also agree with your comment that, in the example of the bank, what is referred to is not the size of the risk, it is its importance of the asset to a particular organization. This is reflected in the impact/consequence analysis and how that may be different depending on what $25mm or $1mm represent for an organization at any given point. Once the impact/consequence level has been determined for each individual bank and a particular location, then the risk level may increase or decrease within that particular risk assessment. I believe.
Thanks for the piece and generating this important conversation.
I agree that too many security specialists confuse risk with threat. I brief my clients that threat is the source of harm and risk is a combination of the probability and consequence of this harmful event on our asset, personnel or reputation.
Ami, what you failed to mention is that when assessing adversarial threats you also need to consider their intent and capability. They may want to attack your asset but don’t have the capability or they might have the capability but are not sufficiently motivated to attack. Either way, you must conduct this preliminary assessment prior to determining the likelihood (probability) that a threat presents a risk to your asset. Therefore, to determin a level of security risk you must conduct a two-part assessment.
Also, in my professional view, risk mitigation is not about targeting the probability. Risk mitigation can include acceptance or transfer both of which focus on reducing the consequence (impact) and not the probability. I’m not sure I’ve ever mitigated a threat either; I may have reduced the threat’s capability to mount an attack but, arguably, this is also risk-mitigation as my goal is to reduce the probability of the attack occurring by reducing the capability of the source of the threat.
Finally, if you concentrate on removing the opportunity for an attack to be successful then the risk is mitigated. Don’t leave the asset exposed, don’t be in the wrong place at the wrong time and don’t allow complacency to lower your guard. I advocate that a behavioural based security program is the most cost-effective mitigation strategy – do the simple things right every time.
[…] might happen to each asset. We always try to calculate the combined value of two important factors: Threat and Risk. Threat is the potential harm to your asset, risk is the likelihood of that threat/harm being […]
[…] might happen to each asset. We always try to calculate the combined value of two important factors: Threat and Risk. Threat is the potential harm to your asset, risk is the likelihood of that threat/harm being […]
[…] If you would like to read more advanced terminology and explanations, I suggest you visit: https://protectioncircle.org/2017/01/27/threats-and-risks/ […]