What is the difference between vulnerability assessment and threat model?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the DSAC Annex F Test with comprehensive flashcards and multiple choice questions. Access hints and explanations for each question to ensure you’re ready for your exam!

Multiple Choice

What is the difference between vulnerability assessment and threat model?

Explanation:
Focusing on weaknesses in a system and on attacker pathways are the two distinct angles in security practice. A vulnerability assessment aims to uncover weaknesses in the system’s configuration, software, or controls—things like unpatched software, misconfigurations, weak credentials, or insecure settings. It’s about finding concrete flaws that could be exploited. Threat modeling takes a broader view of risk by considering how an attacker might reach the most valuable assets. It maps out potential attack scenarios, attacker capabilities, and the paths an intrusion could take, then assesses the likelihood and impact to decide where mitigations matter most. This helps prioritize defenses based on actual threat combinations rather than just known flaws. So the best description is that vulnerability assessment identifies weaknesses, while threat modeling analyzes attack scenarios and risk. For example, a vulnerability assessment might identify an outdated library as a weakness; threat modeling would evaluate how an attacker could exploit that library, what data could be at risk, and which mitigations (like patching, access controls, or network segmentation) would most reduce overall risk. Other options blur who is responsible or mix in unrelated activities—designing defenses, testing hardware, replacing incident response, or measuring performance or user experience—none of which capture the core distinction between finding weaknesses and analyzing attack scenarios and risk.

Focusing on weaknesses in a system and on attacker pathways are the two distinct angles in security practice. A vulnerability assessment aims to uncover weaknesses in the system’s configuration, software, or controls—things like unpatched software, misconfigurations, weak credentials, or insecure settings. It’s about finding concrete flaws that could be exploited.

Threat modeling takes a broader view of risk by considering how an attacker might reach the most valuable assets. It maps out potential attack scenarios, attacker capabilities, and the paths an intrusion could take, then assesses the likelihood and impact to decide where mitigations matter most. This helps prioritize defenses based on actual threat combinations rather than just known flaws.

So the best description is that vulnerability assessment identifies weaknesses, while threat modeling analyzes attack scenarios and risk. For example, a vulnerability assessment might identify an outdated library as a weakness; threat modeling would evaluate how an attacker could exploit that library, what data could be at risk, and which mitigations (like patching, access controls, or network segmentation) would most reduce overall risk.

Other options blur who is responsible or mix in unrelated activities—designing defenses, testing hardware, replacing incident response, or measuring performance or user experience—none of which capture the core distinction between finding weaknesses and analyzing attack scenarios and risk.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy