What is the difference between vulnerability, threat, and risk?
D2 ยท Threats ยท CompTIA Security+ SY0-701These three terms are closely related but distinct โ and heavily tested:
๐ด Vulnerability โ A weakness or flaw (e.g., unpatched OS, open port, weak password policy).
๐ Threat โ Any potential danger that could exploit a vulnerability (e.g., a hacker, malware, natural disaster).
๐ก Risk โ The likelihood and impact of a threat exploiting a vulnerability. Risk = Threat ร Vulnerability ร Impact.
๐ด Vulnerability โ A weakness or flaw (e.g., unpatched OS, open port, weak password policy).
๐ Threat โ Any potential danger that could exploit a vulnerability (e.g., a hacker, malware, natural disaster).
๐ก Risk โ The likelihood and impact of a threat exploiting a vulnerability. Risk = Threat ร Vulnerability ร Impact.
A server with an unpatched flaw is a vulnerability. A hacker targeting it is the threat. The probability they succeed and the resulting damage is the risk. You manage risk by patching (reducing vulnerability) or adding controls.