Threat as a Holistic Concept

Wentz’s Risk Model

Threat Event

A threat is defined in NIST SP 800-30 as “any circumstance or event with the potential to adversely impact organizational operations and assets…”

A threat event is defined in NIST SP 800-30 as “an event or situation initiated or caused by a threat source that has the potential for causing adverse impact.”

The distinction between a threat and a threat event is subtle, but basically a threat event is caused by a particular threat source, while a threat is more generic (not caused by a particular threat source).

Threat Source

According to the CISSP CBK Reference, 5th edition, a threat is an actor who potentially can compromise the operation of a system.

Adverse Impact

A threat may refer to its adverse impact when people say, for example, this is a “huge” threat.

Threat as a Holistic Concept

In conclusion, a threat may refer to the threat event, threat source, or the adverse impact of a threat scenario. I treat a threat as a holistic concept that comprises threat source, threat event, and the adverse impact. In other words, a threat is a risk with a negative effect. It’s a good practice to use a specific term to remove vagueness and ambiguity, e.g., threat source, threat event, impact, or risk exposure when communicating in the context of risk.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.