Are we obscuring threat with risk and vulnerability

I have been watching this phenomenon for over a year now and after a post on NABA yesterday I thought I would take a minuute to blog about it. Over the past year I have seen, read, and heard the term Threat used in such a loose term that the true distinct meaning and classification has often been obscured in what could easily be described as risk.

When I think of threat I am consistent with the Merriam-Webster definition: an expression of intention to inflict evil, injury, or damage. The key factor is Intent. The Merriam Webster definition of Risk is: (1)-a hazard or chance of failure whose degree of probability has been reckoned or estimated before some undertaking is entered upon and (2)-an undertaking or the actual or possible product of an undertaking whose chance of failure has been previously estimated.

When we do a TRUE threat and vulnerability assessement-TVA [remember that second word] we are gathering information and intelligence about the person to procure what, if any threat and the value of that threat is or can be levied against that person. Let me just say this right now, just because a person has a billion dollars in his/her account is NOT a threat. Having amassed money is not an automatic intent of injury to that person’s life, however their lifestyle may make them vulnerable. Some lifestyle behaviors can place them in a risky situation, but having money per se is NOT a threat. We can all articulate however, how having that kind of money can make a person vulnerable, but having 7 zeros in your account is not a threat.

Vulnerabilities can be handled without a close-in protection team. Absent the presence of a verified threat many vulnerabilities can be fixed by a change in lifestyle. One of the things that are measured in a threat and vulnerability assessment is how vulnerable is the client in the cyber world. If there is a true vulnerability and risk of a cyber attack, why do we force feed a close-in team on them.

Environmental threat takes on another approach on its own. Notwithstanding any specific threat against the principal, environmental threat is where the AO [area of operations] has a violent personality/profile and the probability of harm is high. We all understand this [well most of us do]. The specific threat against your principal that you have revealed in your TVA can sometimes take a back seat to the threat of the environment. The environmental profile dictates that any ex-pat, or foreigner has a high threat of kidnap, ransom or being killed even if your principal is an unknown person. In this scenario even the protection team falls under the environmental threat. The “Risk” is intimated to the principal before going and vulnerabilities are closely evaluated against the threat and risk.

In my world a true threat [intent] has risks and vulnerabilities. Conversely all risks have vulnerabilities but not necessarily are a threat.


  1. LeonS. Adams

    Spot on target as usual, Eric. It’s also a common error in our industry to see some of our colleagues use the terms “threat” and “risk” interchangeably. Your definitions above should help to clarify the difference between the two as well as their understanding of “probability” as it pertains to assessments. Thanks for sharing and stay safe.

    Leon Adams

    1. Eric Konohia

      Thanks Leon

  2. JB

    I enjoy reading your blogs I learn something new every day.

Leave a Reply

Your email address will not be published. Required fields are marked *