In cyber security, it’s pretty common to hear the words “vulnerability” and “risk” used interchangeably. It’s an easy trap to fall into – after all, both sound like bad news.
But if you’re trying to build a resilient organisation, treating them as the same thing is a recipe for alert fatigue and wasted budget. At Cydea, we’re all about improving the cyber risk conversation, and that starts with understanding key vocabulary.
So, let’s take a look at the difference between vulnerability and risk.
Vulnerability: A hole in the fence
Think of a vulnerability as a flaw or a weakness. It’s the broken slat in a garden fence, the hole in your umbrella, an unpatched piece of software, or a password that’s a little too basic.
Vulnerabilities are a fact of life, both in the real world and the digital world. However, a vulnerability only becomes a risk when it meets a threat.
Threat: The hungry fox
The threat is the perpetrator of the exploit, whether that’s an organised criminal gang, a kiddie with the new malware script to try, a privileged user making an accidental misconfiguration, or that disgruntled former employee with an axe to grind.
Risk: What could happen if the fox finds the hole
Risk is the combination of the likelihood of something bad actually happening and the impact it could have on your business if it did happen. It’s the fox noticing the broken slat, crawling through, and making off with your prize-winning chickens.
In our world, the calculation looks something like this:
Vulnerability x Threat = Likelihood
Risk = Likelihood × Impact
If any of the three variables of threat, vulnerability and impact is zero, your total risk is effectively zero – even if the hole in your fence is huge.
When does a vulnerability stay low risk?
There are plenty of times when a “critical” vulnerability might not actually be a priority for your team. Here are three common scenarios:
1. There’s no fox (No threat present)
A vulnerability only matters if something – or someone – is there to exploit it. If you have a legacy server with a known flaw but it’s sitting in a locked room, air-gapped from your network, and unconnected to the internet, it is effectively hidden from view so the risk is low.
The hole in the fence is still there, but the fox is too busy eating the free-range chickens in the unfenced yard down the road.
Even with the best will in the world, it’s not always possible to patch vulnerabilities right away; the patch may not be available, we may not have access, or we may not even be aware of it yet.
However, if that vulnerable system is sitting behind a robust firewall, requires multi-factor authentication, and is monitored 24/7 by a SOC, you’ve effectively built a second, stronger fence around the broken one.
The hole in your interior fence remains, but the fox can’t get to it.
3. You have no chickens (There would be no impact)
Not all assets are created equal. A critical vulnerability on a laptop that contains no sensitive data and has no access to your main network is a very different story to that same flaw being present on your primary customer database. If the impact to your business would be zero, then your efforts would be better directed elsewhere.
In this scenario, there’s a hole in your fence and a fox has found his way through it, but there’s nothing for him to eat when he gets there.
Why this matters for your business
If your security team treats every single vulnerability as a red alert, they’ll quickly burn out. More importantly, you’ll spend your limited time and resources fixing things that don’t actually move the needle on your resilience.
By taking a risk-based approach – our speciality here at Cydea – you can stop playing whack-a-mole and start focusing on the threats that truly pose a danger to your customers and your organisation.
Reframe “Patching” as “Protecting”
Understanding this distinction is the first step toward a more mature security programme. It’s about being pragmatic, not perfect.
How does your organisation measure risk? If you’re still staring at a never-ending list of vulnerabilities and wondering where to start, we can help. Our Cydea Risk Platform is designed to help you cut through the noise and justify your security spending where it matters most.
In the meantime, stay optimistic – and keep an eye on those fences!
Tim Orchard
Andrei Draghiciu
Nicolas Aristegui
Archie Coomber