Welcome

It risks security and continuity - Threats vulnerabilities a...

ResourcesIt risks security and continuity - Threats vulnerabilities a...

Learning Outcomes

After reading this article, you will be able to identify and distinguish between threats, vulnerabilities, and exposures in IT systems. You will understand the main sources of IT risk—including technical, human, and environmental factors—and explain how these risks affect business continuity and data security. You will also be able to suggest practical controls to mitigate IT risks and recognise the importance of regular review and response to IT exposure in organisations.

ACCA Business and Technology (BT) Syllabus

For ACCA Business and Technology (BT), you are required to understand the impact of IT risks on business security and continuity. This article focuses on:

  • Recognition and explanation of IT threats, vulnerabilities, and exposures
  • Identification of key risks to business data and systems from cyber and other sources
  • Features for protecting IT system security, including appropriate controls and safeguards
  • Identification of weaknesses and inefficiencies in system design or operation
  • Description of the consequences for failing to secure information and ensure continuity

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. What is the difference between a system vulnerability and a system exposure?
  2. Which of the following is a technical control that can reduce the risk of unauthorised data access?
    A) Staff awareness training
    B) Installing fire extinguishers
    C) Password protection and encryption
    D) Offering staff bonuses
  3. List two potential business impacts of a successful cyber-attack on an organisation’s IT system.
  4. True or false? All exposures to IT threats can be completely eliminated with enough investment.

Introduction

Modern organisations rely strongly on information technology for their daily operations. However, as dependence on IT systems increases, so do the risks to data integrity, security, and continuity of operations. An IT risk is any event or circumstance that could cause loss, damage, or disruption through the use or misuse of technology. To protect the organisation, it is important to understand what constitutes an IT threat, where system vulnerabilities exist, and how exposure creates opportunity for loss.

Threats, Vulnerabilities, and Exposure

The language of IT risk includes several essential terms:

Key Term: Threat
A potential cause of an unwanted incident that may result in harm to a system or organisation.

Key Term: Vulnerability
A weakness in a system, process, or control that could be exploited by a threat.

Key Term: Exposure
The extent to which organisational assets are at risk should a threat exploit a vulnerability.

A threat is the potential for something bad to happen (such as a virus or unauthorised access). A vulnerability is the weakness that allows it to happen (such as outdated software or weak passwords). Exposure is the degree of risk if that weakness is attacked (such as loss of data or service disruption).

Common IT Security Threats

Examples of threats affecting businesses include:

  • Cyber-attacks (malware, ransomware, hacking, phishing)
  • Physical events (theft, fire, flooding, hardware failure)
  • Human error (accidental deletion, data entry mistakes)
  • Insider actions (misuse of access privileges, intentional sabotage)

Threats can originate from inside or outside the organisation and may target systems, data, physical assets, or business processes.

Vulnerabilities in IT Systems

A vulnerability is any flaw that can be exploited by a threat. Typical IT vulnerabilities include:

  • Unpatched software or unsupported operating systems
  • Poor access controls or use of default passwords
  • Inadequate backup or disaster recovery measures
  • Insufficient physical protection of servers or devices
  • Lack of user training or awareness

Some vulnerabilities are technical (e.g., missing security updates). Others are organisational (e.g., lack of staff awareness or unclear procedures).

Key Term: Control
A measure or action designed to prevent, detect, or reduce the impact of threats exploiting vulnerabilities.

Exposure and Business Continuity

Exposure increases as the combination of threats and vulnerabilities expands, or as systems become more critical to operations. For example, if an accounting system is not backed up, its loss (exposure) could halt business.

Business continuity refers to the ability of an organisation to operate despite IT-related incidents. Proper controls limit exposure by addressing vulnerabilities and reducing the chance or impact of threats.

Types and Sources of IT Risk

  1. Technical risks: Network failure, system crashes, software bugs, outdated hardware
  2. Human risks: User error, poor password hygiene, lack of training, insider fraud
  3. Environmental risks: Fire, flood, power loss, theft of devices

Risk is never completely absent. The aim is to control and reduce it to an acceptable level using layered controls.

Worked Example 1.1

Scenario:
A marketing company stores client data on a shared server with no password protection and irregular software updates. One employee accidentally clicks a link in a phishing email, introducing ransomware into the system.

Question:
Identify the threat, vulnerability, and exposure in this scenario.

Answer:
Threat: Ransomware (malicious software sent via phishing).
Vulnerability: Shared server with no password protection and outdated software.
Exposure: Client data is at risk of being lost, stolen, or made inaccessible, which could halt the business and harm reputation.

Consequences of Security Failures

When IT risks are not managed, the organisation is exposed to significant negative impacts:

  • Data loss (accidental or malicious destruction)
  • Data breach (loss of confidentiality, legal/financial penalties)
  • Service disruption (inability to operate, loss of income)
  • Reputational harm (loss of client confidence)
  • Regulatory sanctions (failure to comply with data protection laws)

Key Term: Business Continuity
The ability of an organisation to maintain essential functions during and after an incident affecting IT systems.

Controlling IT Risks

To counter exposure, organisations use both preventative and detective controls. Controls must be tailored to the specific threats and vulnerabilities. Examples include:

  • Firewalls and antivirus software to protect against external threats
  • Password policies and regular user training to minimise human error
  • Physical barriers (locks, security cameras) to guard against theft or damage
  • Routine system updates and patch management to eliminate technical weaknesses
  • Regular and tested backups to ensure data recovery after incidents

Key Term: Backup
A copy of data stored separately to enable recovery if the original data is lost or damaged.

Worked Example 1.2

Scenario:
A retailer updates its finance system weekly, but only backs up data at the end of each month. A hardware crash occurs in the third week of May.

Question:
What is the exposure, and how could the risk have been reduced?

Answer:
Exposure: Up to three weeks of transaction data may be permanently lost, severely affecting financial records and operations.
Better practice: Back up data daily to reduce exposure window; consider automated cloud backups for reliability.

Maintaining IT Security and Continuity

Key steps for protecting against IT risks:

  • Conduct regular risk assessments to identify new threats and vulnerabilities
  • Implement, update, and test controls frequently
  • Educate staff about current threats (e.g., phishing tactics, software updates)
  • Design and rehearse incident response and recovery plans

Key Term: Incident Response
The process of identifying, managing, and recovering from a security or continuity incident in IT systems.

Key Term: Disaster Recovery
Organised method of restoring IT and business operations after a major loss or disruption.

Exam Warning

Be precise in distinguishing between threat (the danger), vulnerability (the weakness), and exposure (the potential loss). Failure to use these correctly could cost marks.

Revision Tip

List and memorise common IT threats and typical controls. Exam scenarios often describe risks—practice matching controls to threats and vulnerabilities.

Summary

IT risk is the possibility that a threat will exploit a vulnerability, resulting in exposure to loss or disruption. Effective controls focus on reducing vulnerabilities, limiting exposure, and maintaining business continuity. Regular review, staff training, and robust response plans are essential to keep the business secure and resilient.

Key Point Checklist

This article has covered the following key knowledge points:

  • Difference between IT threat, vulnerability, and exposure
  • Common sources of risk to IT systems and data
  • Typical vulnerabilities found in organisations
  • Business consequences of security failures and exposure
  • Types of controls to manage IT risks
  • Importance of business continuity and recovery plans
  • Regular review and training to adjust to new threats

Key Terms and Concepts

  • Threat
  • Vulnerability
  • Exposure
  • Control
  • Business Continuity
  • Backup
  • Incident Response
  • Disaster Recovery

Assistant

How can I help you?
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode

Responses can be incorrect. Please double check.