What is Risk, Threat and Vulnerability?
The terms risk, threat and vulnerability are core elements in risk analysis, each representing a distinct concept:
- Risk:
- A situation where someone or something valued is exposed to danger, harm or loss (noun) or to expose someone or something valued to danger, harm or loss (verb).
- The potential for loss or harm when threats exploit vulnerabilities is often calculated as “risk = likelihood × impact”.
- Threat:
- A person or thing likely to cause damage or danger (noun) or to indicate impending damage or danger (verb).
- Any potential cause of harm could be external (hackers, malware) or internal (insider error).
- Threats are the possible agents or triggers.
- Vulnerability:
- A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
- Examples of vulnerabilities include unpatched software, weak passwords and poor physical security.
An effective cybersecurity program maps threats to vulnerabilities, evaluates the risk they present and implements controls to reduce either likelihood or impact. ComplianceForge’s Risk–Threat–Vulnerability ecosystem guides emphasize this linkage and the importance of controls to lower overall risk.