Threat, Vulnerability and Risk

Let's take a look at each of these from a security perspective, and try to clear up any confusion. In my experience I see a lot of individuals getting these mixed up.


A threat is some negative event that can lead to an undesired outcome for an asset. It is something that is negative and poses a danger, and, it is something that we would like to avoid and prevent. A threat can also be an unintentional event. A threat is not necessarily attributed to an individual.


  • An nefarious individual attempts to steal data from an App
  • Some system administrator turns off an AWS instance
  • A fire in a data center
  • An individual unintentionally emails all employee data to everyone in the organisation
  • An insider takes a copy of data and attempts to sell

Threat Actor

A threat actor is either a person, an entity or an organization that are initiating a negative event.


  • Disgruntled employee
  • Nation State
  • A criminal in cyberland


This is a weakness or a flaw in a system. A weakness in the methods and measures used to protect an asset. Vulnerabilities are what make threats possible, and the threat actors take advantage of these vulnerabilities.


  • Any of the OWASP Top Ten lists, e.g. Injection.


I tend to work backwards with this one, and think of the standard risk calculation formula:

Risk = Probability * Impact

A Risk is some negative outcome that we want to avoid combined with the probability and its impact.

It is the likelihood of something bad happening in addition or combined with how bad this (i.e., the impact) would be.