OCTAVE Properly Distinguishes Between Threats and Vulnerabilities

You may have heard of Carnegie Mellon's Software Engineering Institute. Within SEI's Networked Systems Survivability program is the Survivable Enterprise Management group. Members of this group developed the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method. OCTAVE is "a self-directed approach for assessing and managing information security risks. OCTAVE allows an enterprise to identify the information assets that are important to the mission of the organization, the threats to those assets, and vulnerabilities that may expose the information assets to the identified threats." Already you should notice that the OCTAVE crew is using the terms risk, asset, threat, and vulnerability properly. In fact, a look at the OCTAVE Threat Profiles (.pdf) document reveals additional understanding of the differences between threats and vulnerabilities:

"Below is an expanded classification of threat actors.

• non-malicious employees: people within the organization who accidentally abuse or misuse computer systems and their information


• disgruntled employees: people within the organization who deliberately abuse or misuse computer systems and their information


• attackers: people who attack computer systems for challenge, status, or thrill


• spies: people who attack computer systems for political gain


• terrorists: people who attack computer systems to cause fear for political gain


• competitors: people who attack computer systems for economic gain


• criminals: people who attack computer systems for personal financial gain


• vandals: people who attack computer systems to cause damage"

What, no mention of problems with Microsoft RPC services on port 135 TCP? No Cisco router denial of service condition? OCTAVE and the SEI know the difference between threats and vulnerabilities and they speak authoritatively on the subject. Kudos to them for being rigorous with their terms and work.