Risk Vs Threat

What is the difference between risk and threat? have you ever thought it through?
 
Visit the Symantec security response website ( [url]http://www.symantec.com/business/security_response/index.jsp[/url]), you will find that Symantec devided the security iusses into three major categories, threat, risk, and vulnerabilities (即威胁,风险和脆弱性).
 
 
The website does not explain what is threat obviously, but we can find the answer in the threats tab threat exploer ( [url]http://www.symantec.com/business/security_response/threatexplorer/threats.jsp[/url]), the threat include Virus, Worm, Trojan, Rootkit, Exploit, etc.
 
And we can get a list of risk from the risks tab of the threat explorer,  Spyware, Adware, Dialers, Hack Tools, Joke Programs, Remote Access program, etc.
 
I am wondering what is the criteria for Symantec to devide the security issues into three categories, the vulnerabilities is easy to recognize, but what is the difference between threat and risk?
 
I searched the keyword "threat vs risk" in the google search engine, got some useful information.
 
An article named "Risk Versus Threat" ( csdl.computer.org/comp/mags/co/2003/02/r2005.pdf) discourse the difference deeply, and the views of author sounds reasonable.
 
Risk is based on the possibility of a financial loss only. Nothing else is required. In the end, for any event, there will be a resulting cost,
no matter how large or small.  

A threat includes events in which an actor engages in a behavior intended to cause a minimum loss. Any such loss must, by definition, be measurable or quantifiable.
 
Another article named "Talking Shop: The difference between threat and risk" ( [url]http://articles.techrepublic.com.com/5100-10878_11-5134882.html[/url]) says:
 
Assessing danger: threat vs. risk

Much later, I realized that this experience represented my first professional exposure to a conflict and understood how it shaped my career. At the time, I worried about the technical and procedural aspects of resolving the "security need." Later, I explored the ramifications of a proper security procedure. Eventually, I saw the basic conflict at the heart of the issue: the determination of risk rather than threat.

We feel threatened. Threat appears as we move though our lives. We pick up these feelings from news, from thinking about problems that might arise, and even from talking to other people. As human beings, we use whatever means is at our disposal to deal with threats.

We also assess risk. In order to do so, we must first define the threats that loom around us. We then come to grips with their probability and potential impact. Based on this assessment, we then formulate strategies (procedural or technical) to deal with them.

Risks have two basic values: probability and potential impact. These values combine to create the risk's severity, the reasoned measure of how much danger a risk presents. Probability measures the likelihood of the risk's occurrence throughout the life of the project. I personally use a percentage chance; other consultants I know prefer to measure probability in terms of likelihood-per-given-day (i.e., strict probability based on a logarithmic scale). Potential impact measures the damage a risk inflicts should it occur. As with priority, we generally concern ourselves with actual dollar impacts rather than secondary effects.
 
I think all of these viewpoint are right, different criteria and terms for different purpose.
 
In a word, we feel threat, and we assess risk, risk have two basic values: probability and potential impact.

本文出自 “西蒙[爱生活,爱学习]” 博客,谢绝转载!

你可能感兴趣的:(职场,休闲,风险,威胁)