Security Foundations • 08 / 09

Vulnerability, Threat, and Risk

Three terms constantly conflated in security conversations. They are distinct concepts — and conflating them produces bad risk decisions.

01 — Weakness
Vulnerability
A weakness in a system, process, or control. It exists independently of whether anyone exploits it. The presence of a vulnerability does not mean an attack will occur.
"Standard plate glass windows" — weak by nature of the material. A known CVE in software with no patch applied.
02 — Potential Danger
Threat
The potential danger associated with exploiting a vulnerability. A threat actor, a natural event, or an error that could take advantage of the weakness.
"The glass can be broken" — a smash-and-grab burglar. A public proof-of-concept exploit for the CVE has been released.
03 — Business Impact
Risk
The likelihood that a threat actor exploits the vulnerability, combined with the business impact if they succeed. Risk drives the response decision.
How likely is a break-in at this location? What is the cost to the business if it happens? What do we do about it?
Weakness exists Vulnerability
+
Actor could exploit it Threat
Likelihood × Impact Risk
Real-World Scenarios
🏪 Physical — Showroom
VULN Storefront built with standard plate glass doors and windows — inherently breakable.
THREAT A potential smash-and-grab burglar who could break the glass to access merchandise.
RISK How likely is smash-and-grab at this location? What merchandise value is exposed? Is this area high-crime?
🏥 Digital — Hospital Database
VULN Hospital EHR database running a version with a known unpatched CVE in the advisory feed.
THREAT A working proof-of-concept exploit for that CVE has been publicly released. The threat is real and active.
RISK How exposed is this system? What is the impact of patient records being altered, disclosed, or destroyed? What is the patching timeline?

Why this matters: A vulnerability with no credible threat actor carries different risk than the same vulnerability with a live exploit kit in the wild. And high-likelihood threats against low-impact assets may be lower priority than low-likelihood threats against critical systems. Risk = Likelihood × Impact — and risk drives the response, not the vulnerability alone.

cybergrind.org  •  Orange Book  •  Security Foundations Series