Threat as a Holistic Concept

Wentz’s Risk Model

Threat Event

A threat is defined in NIST SP 800-30 as “any circumstance or event with the potential to adversely impact organizational operations and assets…”

A threat event is defined in NIST SP 800-30 as “an event or situation initiated or caused by a threat source that has the potential for causing adverse impact.”

The distinction between a threat and a threat event is subtle, but basically a threat event is caused by a particular threat source, while a threat is more generic (not caused by a particular threat source).

Threat Source

According to the CISSP CBK Reference, 5th edition, a threat is an actor who potentially can compromise the operation of a system.

Adverse Impact

A threat may refer to its adverse impact when people say, for example, this is a “huge” threat.

Threat as a Holistic Concept

In conclusion, a threat may refer to the threat event, threat source, or the adverse impact of a threat scenario. I treat a threat as a holistic concept that comprises threat source, threat event, and the adverse impact. In other words, a threat is a risk with a negative effect. It’s a good practice to use a specific term to remove vagueness and ambiguity, e.g., threat source, threat event, impact, or risk exposure when communicating in the context of risk.

Leave a Reply