Commentary 1
I agree with the definitions provided for risk assessment and vulnerability assessment However, I disagree with the difference cited between the two. In particular, while I agree that risk assessment involves the details needed in determining the requirements for recovering from an attack, risk assessment mainly involves the assessment or evaluation of a situation that involves a system’s exposure to danger (Maniscalchi, 2009). It also involves considerations of psychological and physical risks, as well as the protection of privacy (“Risk Assessment Guide, “ n.d.). In addition, I disagree that vulnerability assessment focuses on a specific system and its capabilities and assets because vulnerability assessment focuses more on a system’s potential to be exposed to harm or to an attack, as well as on a system’s weaknesses (Maniscalchi, 2009), which may be impacted or negatively manipulated as a result of a risk. In other words, I think that risk assessment refers to the evaluation of situations that can expose a system to an attack while vulnerability assessment pertains to the evaluation of the potential danger that can be caused by a risk, especially in consideration of a system’s weaknesses.
Commentary 2
I agree with the writer of the post that vulnerability assessments on critical infrastructures should be required by law. They should be considered indispensable as the failure to detect and address these vulnerabilities can lead to system damages and system losses (Carabott, 2011). The writer of the post also indicated a need for standards. I agree with this, but I’d just like to point out that such standards already exist. An example is the Sarbanes-Oxley Act, which aims to provide investors with protection and to improve the reliability and accuracy of corporate disclosures (“Sarbanes Oxley Act,” 2012). As such, this law requires that the management teams of organizations demonstrate and certify that security controls are in place to ensure the protection of their organization’s financial information.
References
Carabott, E. (2011, May 31). Why you need to run a vulnerability assessment. Retrieved from
http://www.gfi.com/blog/vulnerability-assessment/.
Maniscalchi, J. (2009, June 26). Threat vs vulnerability vs risk. Retrieved from
http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/#.
Risk assessment guide. (n.d.). Retrieved from http://www.sciserv.org/document.doc?id=40.
Sarbanes-Oxley Act. (2012). Retrieved from http://www.eeye.com/Solutions/Business-
Need/Regulatory-Compliance/SOX.aspx.