The best way to tell the difference between a threat and a risk is to ask a simple question: can I control it? The reason is that a threat always comes from the outside, while a risk is exposed from the inside. Just think about the way we talk about them. Someone “takes a risk” but it is always someone else who “makes a threat.” Some risks are absolutely required. Every retail store has cash in every register because the risk to revenue of not being able to make change for a purchase is greater than the risk that someone may come along and force an employee to give up that cash. Why is the cash a risk at all? Because there is a persistent threat that someone may try to steal from you. In security we often talk about a credible threat, a threat with evidence as opposed to a threat made that is completely fantastic. If I threaten to launch missiles at France because I got a bad bottle of wine Christmas Eve, not many people will take that seriously. If someone with a violent history threatens violence to someone to whom they have easy access, then that’s a credible threat. One of the reasons people have been a bit freaked out by the Sony Hack is the mixture of crazy threats, credible threats, risks realized into troubles, potential risks that are hard to understand, and the media’s complete unwillingness to pick all that apart and understand the differences.
Luckily, if you’re reading this, we can take some shortcuts. I could tell you about the crazy Christmas Morning conversation we had around the breakfast table. I could tell you about how I had to say that even people well connected as the POTUS can be misinformed and jump to conclusions. The conversation started because everyone asked me what I thought the “Christmas Surprise” the hackers promised would be. They offered me bombings, kidnappings, arson, and other crazy things to choose from and ranged from disappointed to incredulous when I passed on all of that. But you knew that I would. Because hackers who use well tried methods wrapped in well-known malware exploiting terrible security flaws in unpatched, badly maintained IT infrastructure are not that special. It would take a special kind of bad guy to move from malware to Molotov cocktails, and that jump to a physical attack didn’t seem like a credible threat. “BUT WHAT ABOUT THE NORTH KOREANS!?!?!” they yelled at me like I was the Grinch whole stole the Christmas gossip goose. The most interesting part about the North Korean angle has been to wonder how the US Government would react, and see how they actually did. But no one knows if they were truly involved, and, in the end, it wouldn’t matter much if they were. We know they aren’t much of a credible threat of real world attack on the US, either.
Many people want to talk about the threats in the Sony hack. Even more people want to talk about the damage done in the form of executive gossip exposed. If you’re in the digital security game, though; the real story are the risks. The real story is the risk of having so much data exposed to an attack like this one. The risk that something using brute force attacks, literally one of the oldest tricks in the book, can spread across a network the way it did is incredible. Though I know most people I’ve talked to since that’s been exposed don’t think it’s a risk they themselves aren’t taking. If you’re in security, the risk is the real story because it’s the part you can do something to control. Risks can be mitigated. Effective controls can be put in place. Defense in depth can always get a few layers thicker and wider. Retail stores may not think theft is a huge threat, but they still put in cameras and tell employees to be on the lookout. If a center for recovering kleptomaniacs moved in next door to my shop, I would likely increase my security posture. The chances of our risks being realized are related to the types of threats out there. Now that we all have seen what happens when some hacker has a grudge instead of a profit motive, the same risks we had before have been given new weight. Our risks aren’t about the cash in the register when someone is out to shut us down. If the real story in the Sony hack is our risks, then the moral of that story is the motivation of the people making the threats should change the way we assess the possible damage of taking our risks.