Threat: A natural, human, or environmental source with the intent or opportunity to trigger the exploitation of a vulnerability

Example1: Tornado

Example 2: Malicious hacker

Example 3: Chemical spill

I think this definition needs to be expanded to include a threat source.  If you talk with secure software developers they have a practice called threat modeling, which is well defined by some of the big industry vendors.  In terms of threat modeling developers consider "SQL Injection" a threat.  I had a 1 hour chat session with several developers to explain it was not a threat its a vulnerability.  Dduring the dicussion I came to the reality that threat sources must be defined.  It will be hard for the current threat definition to work for the software developers if they think SQL injection is a threat.  

A threat-source can be defined as any circumstance or event with the potential to cause harm to an information asset.  Threat-Sources can take many forms, including people (such as insiders or Internet users), technology (such as worms or Trojans), and events (such as floods or fires).

Jason:

Although, SQL injection is vulnerability it also is method or threat-source (technology).  I believe without explicitly defining threat sources, we may be leaving out the BRIDGE to include the many in the secure software community. 

I think you have hit the nail on the head sir.

Well, I see threat coming from three sources as per the original definition; human, natural, and environmental.  I try to keep it is as simple as possible to help break down risk to manageable components.

While I can understand the issue with something like SQL injection, I would see, even as a developer myself, SQL Injection as an attack vector or tactic (i.e., something a human would use to exploit a system that is vulnerable to SQL injection).  Ultimately the source would still be human, SQL injections don't just happen, someone triggers them.  Also, I would say it, in itself, is not a vulnerability.  It becomes one when the system being attacked isn't doing something like input validation that checks for SQL injection.

When doing threat modeling or risk assessments, I always try to break things down to their fundamental parts in order to help people make a risk based decision on determining the appropriate controls and where to apply them.

As I was working through the definitions I was thinking that a separate one would be needed for attack vector.  Something like:

Attack Vector:  A tactic used or triggered by a threat that exploits a known or potential vulnerability.

So, if we didn't want to leave out a "bridge" we could change or add the term Threat Model with the same or similar definition. 

Jason:

cause harm to an information asset

Also, I would be hesitant in constricting it in this way, because some events don't actually cause any harm nor are restricted to information assets. For example, war-driving and subsequently using an open access point to access the Internet is a form of "digital trespassing".  Also, some events cause performance issue, like sucking up someone's WiFi bandwidth, which can be controlled/prevented through security controls.

Therefore, the impact (harmful or otherwise) needs to be determine as part of the entire risk profile.  This is why I included likelihood (potential) and impact (harm, outage, performance, etc.) as part of the Risk definition.

The end of SP 800-30 provides a glossary and has some nice definitions I think.

• Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
  
• Threat-source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
  
• Threat Analysis: The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.
  

These all work for me and from what I can see work for others in this thread?

In 800-30 they have defined and use threat sources at two different level.  One being "Common Threat Sources", which are the human, natural, and environmental, but then they outline "Threat-Source" as then being very specific (e.g., the malicious hacker, tornado, etc.).

Personally, I'm not a fan of this, because as you read through the document it uses the term differently and then essentially uses itself to define itself.

I like to think of "Threat-Source" as more of attack vector , event trigger, or something along those lines.  Where I'm at currently, we're using both Attack Vector and Event Trigger in order differentiate between intentional vs. unintentional.
 

Jason:

It will be hard for the current threat definition to work for the software developers if they think SQL injection is a threat.

In my world, SQL injection is the capability that a threat has.  I think a threat has to have at least one of MOM: Methods, opportunities, and motives.

Examples:

• Disgruntled employees use fileshare browsing attacks on unrestricted shares to conduct industrial espionage.
• Hurricanes knock down powerlines and creating flooding in coastal areas (motives unknown until I get an advanced degree in meteorology)
• Teenagers shoplifting items in unsupervised sections of mall stores for "cheap thrills" or to prove their worth to the gang
  

 Of course, Your Mileage May Vary. =)

Not to get to drawn into sematics but surely SQL Injection is a method?

mcurphey:

Not to get to drawn into sematics but surely SQL Injection is a method?

Yep.  I lost a little bit of concurrency by the time I got through saying my piece. =)