A quick reminder : Don't stress on both threat and vulnerability


Threat and vulnerability are two tightly coupled aspects. There is no point to focus on a vulnerability if the threat doesn’t exist, similarly you can’t stress on a threat, if your asset is not concerned with the vulnerability (or weakness).


The question one should ask is “What are the risks to my asset ?”, and to answer this we need to run a whole Business Impact Analysis (BIA), which involves qualitative and quantitative risk assessment.

As a general equation:  Risk = Vulnerability x Threat

On the basis of the above equation, we can conclude that if an asset has a Vulnerability and that Vulnerability is exposed to a known Threat, then the asset is at Risk. 

Now that the two elements exist you need to tackle just one of the two not both, to eliminate the risk.

originally posted here