Risk terms and concepts

A vulnerability is an inherent weakness in something (a device, system, process, situation, person etc.) that might be exploited by a threat, perhaps causing an impact of some sort. 

Vulnerability exists regardless of the presence or absence of controls: the lack of control is a separate matter, a fundamentally different concept although often confused by non-experts and even by some so-called experts.

Take, for instance, the risk of being burgled at home. 

The primary threat is the burglars - the criminals who might just pick a given home to burgle. There are other threats too (e.g. untrustworthy visitors and opportunists) but let's leave it at that for now. 

The primary impact on the homeowner is the loss of their assets - the valuables that are stolen. Again, there are other impacts (e.g. the traumatic feelings of their personal space being violated, and the implied or actual safety threat). The impacts of burglary differ according to one's perspective. To the home owner or occupier, the financial replacement cost, disruption and emotional toll are all potentially significant impacts. To society, burglary rates can affect the popularity of particular areas, leading to societal and cultural changes. To insurance companies, the impacts of burglary include insurance claims and payouts ... plus increased custom (a positive business impact or opportunity for them).

So what are the vulnerabilities? 

Some would claim that the lack of a burglar alarm is a vulnerability ... but, no, strictly speaking that would simply be a missing control, not an inherent weakness. Same thing with the lack of armed guards, razor wire, gun emplacements, moats, helicopter gunships, door locks, a portcullis, minefield and so on: these are all optional-extra controls that may or may not be appropriate for any property. The lack of them is not a vulnerability but may reveal or expose a vulnerabilities in the property.

Inherent weaknesses include the concept of 'home' i.e. a place to live plus property that someone considers exclusively 'theirs'. If it weren't for the very notion of assets and property ownership, we would not feed so hard-done-by if burglars removed 'our' assets, since they would, in effect, own and have the same rights over them as we do. In law, this leads to the crime of conversion, larceny or theft: a criminal can only 'steal' things from me if I 'own' them. They would be depriving me of the rights over the property that lawful property owners can reasonably expect to enjoy. It's a mixture of possession and control, in the sense that, say, a ransomware infection may take possession of the data and controls access to it, without literally removing it.

There are other vulnerabilities to burglary such as:

• The visibility and attractiveness of the place to burglars which, arguably, is greater relative to neighbouring properties if there is no obvious alarm, if the place appears unoccupied, if doors and windows are left open etc.;
• The need to admit various people for legitimate purposes e.g. tradesmen, the emergency services and debt collectors, friends and family;
• Welcome mats, house parties and various other invitations to visit or enter e.g. tenants, guests, 'open house' marketing promotions and parties;
• At a societal level, factors such as widespread and harsh socio-economic hardship increase the threat of burglary in afflicted areas, hence the conditions that caused or led to that situation might be termed vulnerabilities - 'contributory factors', perhaps. 

Conceptually, we've come a long way from 'lack of a burglar alarm'!

If you're still not convinced of the difference, can I persuade you to buy my magic crystal? The crystal emits a particular form of sub-ether energy vibrations that burglars find intolerable, but legitimate visitors don't even notice. Burglars find it too uncomfortable to approach or enter the property. Without my magic crystals, your home is highly vulnerable. A snip at just $20 per gram (minimum 500 grams, delivery, installation and sales tax extra).  PS  The crystals also ward off evil spirits and insurance salesmen.