Threat, vulnerability, risk – commonly mixed up terms

What are the most commonly mixed up security terms? Threat, vulnerability, and risk.

While it might be unreasonable to expect those outside the security industry to understand the differences, more often than not, many in the business use these terms incorrectly or interchangeably. Maybe some definitions (from Strategic Security Management) might help….

Asset – People, property, and information.  People may include employees and customers along with other invited persons such as contractors or guests.  Property assets consist of both tangible and intangible items that can be assigned a value.  Intangible assets include reputation and proprietary information.  Information may include databases, software code, critical company records, and many other intangible items.

An asset is what we’re trying to protect.

Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

A threat is what we’re trying to protect against.

Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset.

A vulnerability is a weakness or gap in our protection efforts.

Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.

Risk is the intersection of assets, threats, and vulnerabilities.

Why is it important to understand the difference between these terms? If you don’t understand the difference, you’ll never understand the true risk to assets.  You see, when conducting a risk assessment, the formula used to determine risk is….

A + T + V = R

That is, Asset + Threat + Vulnerability = Risk.

Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk.

Accurately assessing threats and identifying vulnerabilities is critical to understanding the risk to assets.  Understanding the difference between threats, vulnerabilities, and risk is the first step.



  1. You are spot on. Eliminating risk is where companies need to focus their resources. Risk leads to impact and impact leads to unecessary expense.

  2. A better representation could be:

    Risk = Threat x Vulnerability x Asset

    Multiplied together. Not added together. If one of those three items does not exist (i.e. =0) there is “zero” risk. Similar in concept to the fact that if there is fire there must also be heat, oxygen and fuel. Take away any of those items (heat, fuel or oxyegen) there will be no fire.

  3. Thanks for the excellent explanation.

    I was really mixing up! but with the clear R=A+T+V, it is no longer fuzzy :)

  4. A Threat is an identified and real entity/situation outside of the control of the organization that has a negative impact on the organization.

    A Risk on the other hand is the possibility of a situation/entity outside of the control of the organization that has a negative impact on it, becoming real.

    Vulnerability is the extent to which the present circumstances of your company will aid the realization of a Risk.


    Risk = Threat x Probability

  5. While your explanation has merit, I disagree because it is too simplistic to truly understand or qualitatively or quantitatively calculate risk. Probability is a function of threat (as defined in the original post).

    Your post is approved for consideration by others.

  6. Very simple and meaningful explanation… and i agree with Brian it should be multiple, but may be the explanation is just about emphasis on the presence of these components…

  7. I would expect / suggest the formulae to be more like…

    Threat x Probability x Vulnerability = Risk for an Asset

    So, for a perceivable threat (100%), the likelihood it will take place is say 80%, but the level of vulnerability that the asset that can be exploited by that particular threat is just 20%, then the risk for the asset can be indicated as:

    1 x 0.8 x 0.2 = 16%


  8. I disagree with the Multiplication formula. If one of the element is zero then mathematically, the result would be zero.

  9. Do not forget guys that the article is mainly aimed to let people understand what the difference is in the most convenient and to an extent most simple way.

    P.S. @Steve Siva Should we take it on into making it more accurate and in practice confusing to majority of the people – we can divide probability into direct (real) and potential.

  10. Businesses are not in the business of eliminating risk. Instead they seek to reduce to an acceptable level. That first comment above is a common error.

  11. what is the relationship of Impact in this equation? If there is no impact on exploiting any vulneravility then again there is no risk?

    SO another fomula could be

    Risk= Likelihood x Impact

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>