Vulnerability Assessment or Risk Analysis?

Security is a term that is used in all sectors of the economy. It has been known to make or break economies, kingdoms, and businesses. Perhaps it is the only common concern a hotelier has with a nuclear weapon producer. In comes in computers and, we now have to redefine the term “security”. You have successfully finished assembling your website, computer software or cloud based service. So what do you do next? This is a no-brainer: seal all security loopholes in your system, and while you are at it, keep reminding yourself, “don’t get hacked”. Sealing a security loop hole is one thing, and finding it is another. There are three standards practices for identifying security loopholes in any IT system: vulnerability assessment, risk analysis assessment, and penetration testing.

Understanding the difference

  • Vulnerability assessment – as much as it is often mistaken and interchangeably used with penetration testing, it is completely different to the latter. Vulnerability assessment is commonly done using off the shelf software. Typically, it involves scanning your IP addresse for known vulnerabilities such as heartbleed. According to, a vulnerability assessment generates a vulnerability report that shows the vulnerabilities detected and gives specific remediation steps.
  • Penetration test – this is an advanced vulnerability assessment that more often than not, tests the output of the vulnerability report. The process involves testing an open port in your system to find out what can be exploited by a hacker. A penetration test is different from a vulnerability assessment in that it doesn’t seek to find and document vulnerabilities. It analyzes the severity of any discovered vulnerabilities, and documents the resources that are at risk.
  • Risk analysis – after all is said and done, you will want to generate a risk analysis report. This is a comprehensive document that goes beyond documenting what might be at risk. It assigns a figure to the risk (financial, regulatory, business continuity, and so on). Hence a risk analysis can project the position of your company, should the risks get exploited. Risk analysis is hence the pinpoint of finance, insurance, and security.

Leave a Reply

Your email address will not be published. Required fields are marked *