Certified: The CRISC Prepcast

Welcome to The Bare Metal Cyber CRISC Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Threat and vulnerability identification is the foundation of risk analysis. Without knowing what could go wrong or where weaknesses exist, CRISC professionals cannot measure or manage risk accurately. A threat is anything that has the potential to cause harm, while a vulnerability is a weakness that makes that harm possible. When combined, they form the basis for risk scenarios, assessments, and response plans. This process is not just about listing dangers—it is about creating a structured map of exposure across people, processes, and technology. Proper identification ensures that risks are anticipated rather than discovered after damage is done. On the exam, many questions are built around whether threats or vulnerabilities were missed, ignored, or misunderstood. Being able to systematically identify and document them is critical to preventing surprises.
To understand threats, you must look at them in context—not just as objects, but as active agents with intent and capability. A threat is not only a hacker or a storm; it is a force with motive and tools. Common threat types include cyber threats, such as malware, ransomware, and denial-of-service attacks. Insider threats involve employees or contractors, whether acting with malicious intent or simply through negligence. Natural threats come from environmental sources like fire, flood, or earthquake and can severely disrupt operations. Systemic threats arise from broader influences, such as geopolitical instability, supply chain disruption, or sudden regulatory changes. On the exam, threats are often introduced in dynamic or poorly governed environments. Recognizing them means considering the evolving context, the organization’s exposure, and the potential for harm if the threat acts on a vulnerable target.
Vulnerabilities are internal weaknesses that make an organization susceptible to threats. They exist whether or not a threat is currently active. Vulnerabilities can be human, procedural, or technical. Human vulnerabilities include users who lack training, who fall for phishing schemes, or who ignore password hygiene. Process vulnerabilities include missing documentation, the absence of review checkpoints, or a lack of segregation of duties. Technical vulnerabilities involve issues like unpatched systems, poor configuration, or the absence of logging and monitoring. Understanding vulnerabilities means going beyond individual flaws to identify structural patterns of weakness. On the exam, you may see a scenario where everything appears normal until a weakness is exploited—those questions test your ability to spot the hidden gaps that allow threats to succeed.
Threats and vulnerabilities that focus on human factors are among the most common—and the most exploited. Examples include phishing attacks that trick users into clicking malicious links or providing credentials. These exploit behavioral vulnerabilities, such as lack of awareness or failure to verify sources. Weak or reused passwords are another frequent issue, often leading to unauthorized access. Role-based access that is too permissive or lacks proper review can allow users to see or change more than they should. A poor security culture, where employees are not encouraged to report suspicious activity or where awareness training is infrequent, only increases the risk. On the exam, if a scenario describes a user clicking a suspicious link or bypassing controls, it likely points to a human vulnerability that should have been addressed through training, policy, or better access control.
Process-related threats and vulnerabilities occur when the way work is done exposes the organization to risk. These include outdated procedures that no longer reflect the current system architecture or business needs. When processes are not documented, they cannot be reviewed, updated, or tested, creating gaps that threats can exploit. The lack of segregation of duties allows one person to execute conflicting tasks, such as approving and processing the same transaction, increasing the risk of fraud or error. Manual workarounds, especially those developed in response to system limitations, often bypass controls altogether. The absence of checkpoints, such as approvals or reconciliations, further weakens process integrity. On the exam, these gaps often appear in scenarios describing overlooked exceptions or errors. The strongest answers will reinforce the need for documented, tested, and consistently applied procedures.
Technical threats and vulnerabilities are what many think of first—but they are only part of the risk picture. These include unpatched software, outdated firmware, and unsupported applications, all of which can be exploited by known attack methods. Misconfigured firewalls, open ports, or overly broad access permissions can expose systems to unnecessary risk. Weak encryption or poor key management practices can compromise data confidentiality. A major vulnerability category involves detection gaps—systems without proper logging, alerting, or audit trail capabilities can be breached without anyone knowing. On the exam, technical vulnerabilities are often paired with audit findings or breach reports. If a scenario includes a system with no monitoring or a patch that was delayed, the correct answer likely involves identifying this gap and recommending remediation based on known control standards.
To identify threats and vulnerabilities effectively, CRISC professionals use structured techniques and tools. Threat modeling frameworks such as STRIDE help break down threats into categories like spoofing, tampering, and elevation of privilege. Attack trees visually map out how threats can succeed through various paths. Vulnerability scans and penetration tests reveal exploitable weaknesses in live systems. Process audits and control walkthroughs uncover procedural flaws and inconsistent implementations. Workshops with stakeholders and subject matter experts are essential for surfacing risks that do not appear in system documentation. The most accurate identification comes from combining these approaches and validating findings across sources. On the exam, when asked which technique best supports identification, look for answers that combine tools, structured methods, and cross-functional input—not just technical testing alone.
Inventories and classification systems guide where to focus threat and vulnerability identification. A complete system inventory shows what assets exist, where they are located, and who owns them. Data classification indicates the sensitivity of information, which helps determine whether current controls are appropriate. Process criticality assessments identify which functions are most vital to the business and what the consequences would be if they fail. Without this foundational mapping, threats may be identified without context, and vulnerabilities may go unnoticed. Misclassified or unregistered assets create blind spots in risk analysis and response planning. On the exam, if a question describes a failure due to an unknown dependency or a misclassified system, it is likely pointing to gaps in this early discovery step. Strong responses will reflect awareness that exposure must be mapped to value before it can be controlled.
Once threats and vulnerabilities have been identified, they must be documented in a way that connects them to risk scenarios. For each threat and vulnerability pair, it is important to identify who owns the associated asset or process, what the potential impact is if the risk materializes, how likely it is to occur, and whether any existing controls are in place. This structure supports traceability, helps prioritize monitoring and testing, and informs treatment planning. These entries should feed directly into the organization’s risk register so that all risks can be tracked, assessed, and reviewed over time. On the exam, you may be asked what was missing from a scenario, and the correct answer may involve failure to document ownership, likelihood, or impact. CRISC professionals must ensure that every finding is turned into an actionable, traceable item for risk governance.
Exam scenarios involving threat and vulnerability identification often test your understanding of risk scenario construction and exposure mapping. You might be asked which element is missing from a scenario, and the right answer could be a threat actor, a system vulnerability, or the asset at risk. Other questions may ask why a risk was underestimated, and the answer might be a missed dependency or an unrecognized procedural weakness. Some questions focus on which identification method is best, and the strongest answer will combine modeling, technical testing, and stakeholder input. You may also be asked to identify the root cause of an incident, and the correct choice may involve a process gap, such as a missing approval or control bypass. The best answers will always reflect a clear understanding that risk exposure spans people, processes, and technology, and that threat and vulnerability identification must be both structured and actionable.
Thanks for joining us for this episode of The Bare Metal Cyber CRISC Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.