This module is a resource for lecturers
Assets, vulnerabilities and threats
Cybersecurity measures are implemented to protect assets, which are defined as "something of importance or value, and can include people, property, information, systems, and equipment" (Maras, 2014b, p. 21), such as employees in an organization, digital devices, computer software, and data (ITU, 2008). Assets are susceptible (i.e., vulnerable) to various forms of harm. Specifically, assets have internal (or intrinsic) and external (or extrinsic) vulnerabilities. For example, with respect to information and communication technology (ICT), intrinsic vulnerabilities can be found within system design, security configurations, hardware, and software, among other areas (ENISA, 2017). A case in point is a software bug. In 2018, a software bug in Monero's cryptocurrency wallet was revealed, which enabled individuals to exploit this vulnerability to illegally double their cryptocurrency transfer amounts (Barth, 2018) (for more information about cryptocurrencies, see Cybercrime Module 2 on General Types of Cybercrime). By contrast, extrinsic vulnerabilities are not found within assets, such as ICT. A case in point is the user of ICT. The user can engage in actions that make the device susceptible to malware infection (e.g., opening attachments in emails from unknown senders). Intrinsic and extrinsic properties make assets vulnerable to threats (i.e., anything that could potentially cause an adverse effect). These threats can cause unintentional and intentional harm. For instance, hardware of a digital device can malfunction or it can be purposely damaged as a result of someone exploiting the vulnerabilities of its firmware (ENISA, 2017).