What is risk, threat and vulnerability?

The terms risk, threat and vulnerability are core elements in risk analysis, each representing a distinct concept:

• Risk:
• A situation where someone or something valued is exposed to danger, harm or loss (noun) or to expose someone or something valued to danger, harm or loss (verb).
• The potential for loss or harm when threats exploit vulnerabilities is often calculated as “risk = likelihood × impact”.
• Threat:
• A person or thing likely to cause damage or danger (noun) or to indicate impending damage or danger (verb).
• Any potential cause of harm could be external (hackers, malware) or internal (insider error).
• Threats are the possible agents or triggers.
• Vulnerability:
• A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
• Examples of vulnerabilities include unpatched software, weak passwords and poor physical security.