Don't risk it: analyse the threat
Source: The Guardian
The reporting of computer and communications security in the mainstream media is often puzzling. Why do some risks merit a big story, while others go unnoticed. This is largely because the subject is taken out of its organisational context and it is important to see security risks in that context. The first step is to be clear what we mean by a risk: a risk is the overlap between a threat and a vulnerability.
If there is a vulnerability in a system, such as there being no lock on my front door, but there is no corresponding threat (because my house is empty and there is nothing to steal) then it may make sense to leave the vulnerability in place rather than spend money removing it. Conversely, if there is a threat but no corresponding vulnerability then it is also not worth losing sleep. This is why newspaper reports about security problems have to be assessed carefully, because they don't always have a realistic view of the overlap.