Threat versus Risk

There are three terms that we need to take note of to avoid any confusion.

• Vulnerability: Vulnerable means susceptible to attack or damage. In information security, a vulnerability is a weakness.

• Threat: A threat is a potential danger associated with this weakness or vulnerability.

• Risk: The risk is concerned with the likelihood of a threat actor exploiting a vulnerability and the consequent impact on the business.

For example, a hospital that uses a particular database system to store all the medical records. One day, you are following the latest security news, and you learn that the used database system is not only vulnerable but also a proof-of-concept working exploit code has been released; the released exploit code indicates that the threat is real. With this knowledge, you must consider the resulting risk and decide the next steps.