If a vulnerability is unknown, is there a threat?
This is not similar to the “if a tree falls in the forest and no one is there to hear it, does it make a sound?” question. The “tree falls” question explores what we call “sound”. Does a sound require a receptor? Can there be unheard sounds, or is the term nonsensical? The “tree falls” question explores language, and is a semantic question.
If a vulnerability is unknown, it still exists.
There can be unknown vulnerabilities and unknown threats. Vulnerabilities are often discovered by accident, where the typical side-effect is an unresponsive, hung or crashed system. Investigation of the problem may lead to more useful ways to exploit the vulnerability, now that it has become known.
While a vulnerability is unknown, it represents little risk.
This should be consistent with NIST publication SP 800-30: Risk Management Guide for Information Technology Systems [pdf].
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.
The “tree in forest” question is a semantic question; about words, their meaning and proper use. Questions about vulnerabilities, threats, risks and exploits can be any of three different questions: physical (or metaphysical), epistemological or semantic. Physical (or metaphysical) questions are questions about the nature of the thing itself. Epistemological questions are questions about knowledge.
Information Security professionals take these common language terms and operationally defining Risk as the result of Threat times Vulnerability times Cost. Threat is operationally defined as the frequency of potentially adverse effects. Vulnerability is operationally defined as the likelihood of success of a particular threat category. Cost is cost (such as a per incident cost). The point Information Security professionals wish to make is that the Vulnerability alone is not significant, nor is the Threat or Cost. If any one of these three is insignificant (approaches zero), the Risk is insignificant (just as the product of zero and any other number is zero). Some Risks (some situations) are more important than others.
There is a danger when confusing these operational definitions of terms with their ordinary language use. Once you have illustrated that some situations are more desirous of attention than others, return to using the terms in the language of your audience. Threat is not a frequency, nor is vulnerability a probability.
An alternate sequence of terms and their usage: a vulnerability is a system susceptibility or flaw (such as inadequate input sanitization) which an attacker can access and exploit. A software bug could be, but is not necessarily a vulnerability. This seems to be consistent with The Three Tenets of Cyber Security.
Vulnerability Lab – Security Research Laboratory