By Kevin W., CISSP
In the field of Information Security, the terms vulnerability, threat, and risk have very specific meanings and are often misapplied when discussing InfoSec projects. Below are the very simplified definitions of these terms:
- Vulnerability is a weakness that could be used to cause harm
- Threat is anything that actually causes harm
- Risk is the likelihood that the harm will occur
- The vulnerability of the Death Star was the two meter-wide thermal exhaust port that's shaft lead directly to the reactor system
- The threat to the Death Star was the Rebel Alliance's X-wing star-fighters
- The risk was the slim chance that a small one-man fighter could penetrate the outer defenses, use a proton torpedo to score a precise hit, and start a chain reaction that will destroy the battle station
The Empire's flawed threat modeling had led them to design their defenses around a direct large-scale assault by capital ships. They felt the Death Star's shielding and turbo-lasers would be enough to mitigate the risk, but they had modeled for the wrong threat. The shielding had gaps big enough for the X-wings to pass through, and the turbo-lasers were inaccurate against the swift fighters. The Empire had to eventually deploy their TIE Fighters as a countermeasure to stop the Rebels.
However, regardless of how good your threat modeling is, information security professionals know there is always the possibility of attack vectors they never planned for. This is exactly what happened at the Battle of Yavin; little did the Empire know that Luke was about to use The Force, the ultimate zero-day exploit.
-Kevin W., CISSP