Threats vs. Vulnerabilities 51
Schneier's blog links to a short paper on the difference between threats and vulnerabilities. It's a little heavy for this early in the morning, but it might be worth your time.
"Conversion, fastidious Goddess, loves blood better than brick, and feasts most subtly on the human will." -- Virginia Woolf, "Mrs. Dalloway"
Re:What? (Score:5, Informative)
A threat is a possible action taken against you. A vulnerability is a specific avenue by which that threat can be realized. Threats and vulnerabilities exist in different ways. Threats represent things that *might* happen in the future. What you are worrying about is threats *materializing* as attacks. Vulnerabilities don't materialize -- they're there in the system all along.
The practical purpose of this distinction is that the actions you take in response to a vulnerability is different than than the actions you take in response to a threat, and the *results* are *vastly* different.
The response to a vulnerability is to *eliminate it*. Having no lock on a door is a vulnerability you eliminate by putting a lock on the door. Note that eliminating a vulnerability does not eliminate vulnerabilities as a class of concerns; in fact it may introduce a new vulnerability. By installing a lock you've eliminated the vulnerability of somebody simply walking into your house, but you've replaced it with the less serious vulnerability of having the lock picked.
The response to a threat is to *reduce your exposure to it*. Burglary is a threat; you can reduce your exposure to it by eliminating vulnerabilities (the lockless door, the piles of cash under your mattress), and taking steps to reduce the damage (buying insurance), but *eliminating* burglary is not a feasible goal.
It's a useful distinction because it separates concerns that you can eliminate with immediate, concrete actions from those you have to keep an eye on.