Threat is not vulnerability is not risk
It's an important distinction.
If you need a security assessment, you can get very different types of engagements depending on who you speak to.
You use threat modeling to determine what kind of dangers you are exposed to in your line of business. You wouldn't add a bunker to your basement without having a serious reason to believe you might need.
You use a vulnerability assessment to determine what areas of weakness exist in your operations. They cost a lot of money and they create more work for you. They can be automated.
You use a risk assessment to paint a picture of how things might go wrong. How often and how much will you lose? These assessments are inexpensive, and you should do them often. But you need some understand of your threats and vulnerability.
A threat is a danger, a vulnerability is a weakness, and a risk is a potential loss event.
Don't get confused by the techno-babble. If you understand this distinction, you will understand what you are buying.
I hope you found this valuable
I send out an e-mail whenever I publish new content. It's free. No spam. Unsubscribe whenever you want.