Styrheim

In BS7799-2:2002 4.2.1.d.3 I read the following:

d) Identify the risks

• Identify the assets [...]
• Identify the threats to those assets.
• Identify the vulnerabilities that might be exploited by the threats.

The standards document does define a few terms, but not threat, vulnerability and exploited.

Now, my computer is an asset that is threatened by interruptions in electric power supply. But it does not make sense to say that the power supply exploited a storm to stop my PC?

Is BS 7799-2:2002 written on the assumption that all risk is caused by deliberate attacks?

Looking at Security in Computing by Charles P Pfleeger, ISBN 0-13-799016-2 section 1.2:

[...] an exposure is a form of possible loss or harm [...] A vulnerability is a weakness in the security system that might be exploited to cause loss or harm. A human who exploits a vulnerability perpetrates an attack on the system. Threats [...] are circumstances that have the potential to cause loss or harm; human attacks are examples of threats, as are natural disasters [and] human errors[...] a control [BS 7799-2:2002 3.11 risk treatment] is a protective measure

By BS and Pfleeger definitions, my power line is vulnerable to sabotage, but not to storm damage. Hardly a useful definition. I can't say that the storm is a threat that exploits the vulnerability of the power line. I need a new word. the storm is a threat that xxxes the vulnerability of the power line. Any suggestions?

I want to remove exploit from the definition:

vulnerability

a weakness in the security system that might cause loss or harm

tags: BS 7799-2:2002 threat exploit vulnerability security ISMS Information Security Management System security ISBN 0-13-799016-2