Business Guide
simplicable technology guide   »  security   »  security risks   »  risk vs vulnerability vs threat

The Difference Between a Security Risk, Vulnerability and Threat

        posted by , December 09, 2012

It's often the most basic definitions that are most easy to get wrong.

When it comes to information security there are no more important concepts than risk, threat and vulnerability.

Arnold Boecklin

The difference between these terms might seem obvious. Nevertheless, they are frequently misused.


When did the future switch from being a promise to a threat?
~ Chuck Palahniuk
A threat is something bad that might happen.

It's as simple as that. A more complex definition wouldn't be anymore helpful.

From a security perspective the first threat that pops to mind is a security attack. However, a threat can range from innocent mistakes made by employees to natural disasters.


Vulnerability is the birthplace of innovation, creativity and change.
~ Brene Brown
It's common to define vulnerability as "weakness" or as an "inability to cope". Both of these definitions are completely wrong (from a security and risk management perspective).

A better definition of vulnerability is "exposure".

If you give a presentation at a conference it might open you to criticism or even ridicule. Plenty of people have a fear of public speaking for this very reason. However, the act of giving a speech isn't a weakness it's an exposure.

Connecting a system to the internet can represent a vulnerability. For example, it exposes a system to a DDoS attack. However, connecting a system to customers via the internet isn't likely to be considered a weakness from a business perspective.


No man is worth his salt who is not ready at all times to risk his well-being, to risk his body, to risk his life, in a great cause.
~ Theodore Roosevelt
Risk is a chance that something unexpected will happen. It's the combination of threats and vulnerabilities:

Risk = Threats x Vulnerabilities

IT security professionals tend to think of risk as bad. They might define it as the "chance that something bad will happen".

However, from a business perspective risk can be considered a good thing. Therefore, risk management professionals treat risks as potentially positive.

3 Shares Google Twitter Facebook

Related Articles

Enterprise Architecture
How to architect an organization.

Want to automate, monitor, measure and continually optimize your business? You might need BPM.

The 90 second version of TOGAF — a popular enterprise architecture framework.

IT security

A guide to information security including cheat sheets, best practices and checklists.

Recently on Simplicable

Security Principles

posted by Anna Mar
The maxims of security.

Physical Security Explained

posted by Anna Mar
Physical security is real world security. The type of security that existed long before the information revolution.

Canary Trap Explained

posted by Anna Mar
A digital signature embedded in information that can be tied to a source such as an individual or an IP address.

Honeypot Explained (Security)

posted by Anna Mar
A honeypot is decoy designed to distract attackers from your information infrastructure.


about     contact     sitemap     privacy     terms of service     copyright