Threat
Threat is the frequency of potentially adverse events. Since threat (by this definition) is always a frequency, it is always measurable. And since the events are only potentially adverse, threat per se is not necessarily dangerous or detrimental.

Threat rates can be categorized into "global threat rates" and "local threat rates." The key to thinking about this is to determine – or at least estimate – the rate of whatever threats face your organization.

Vulnerability
Vulnerability is the likelihood of success of a particular threat category against a particular organization. The likelihood of success is not easy to measure, but a related term, "vulnerability prevalence," is. Vulnerability prevalence is simply the number of machines of a particular type (say, NT-based Web servers running IIS that are exposed to the Internet) that exhibit a particular vulnerability.

Cost
Cost is the total cost of the impact of a particular threat experienced by a vulnerable target. Hard-dollar costs are measured in terms of "real" damages to hardware or software, as well as quantifiable IT staff time and resources spent repairing these damages. Semi-hard costs might include such things as lost business or transaction time during a period of downtime. Soft costs include such things as lost end user productivity, public relations damage control, a decrease in user or public confidence or lost business opportunities.

Risk
For there to be any risk there must be at least some threat and vulnerability and cost. The concept we all learned in sixth grade – that anything multiplied by zero is zero – means if any one of the three components of risk is zero, then the risk is also zero.

In most instances, you won't be able to say for sure that any of the three risk factors is zero. Instead, you'll need to measure each component of risk. For instance, let's say you want to determine if your intranet Web server is vulnerable to the "gichagoombi" attack, and if so, the level of the threat. To do this, you need to evaluate the threat rate in other spheres (like the Internet), and determine how that translates to your intranet.

• What tools, knowledge and access are required to make it a threat?
• What human motivation is necessary?
• Who in your company has all the ingredients (tools, knowledge, access, and motivation) to exploit the vulnerability?

By drilling down into each component, you'll very often conclude that there's no risk-or at least no imminent risk-because at least one component of risk is zero or near zero.

Vulnerability is often the first thing to address, since that's where you typically have the most control. There are always many places where you can at least partially reduce vulnerability, and do so easily and inexpensively. They are overlooked by almost everyone, but are exceedingly useful, especially when used together with other synergistic controls.