Threat, vulnerability, risk: What is the difference?

Threat, vulnerability, risk: What is the difference?


Threat, vulnerability and risk are terms that are commonly mixed up. However, their understanding is crucial for building effective cybersecurity policies and keeping your company safe from various cyber attacks.


A threat is any type of danger, which can damage or steal data, create a disruption or cause a harm in general. Common examples of threats include malware, phishing, data breaches and even rogue employees.

Threats are manifested by threat actors, who are either individuals or groups with various backgrounds and motivations. Understanding threats is critical for building effective mitigations and helps to make the right decisions in cybersecurity. Information about threats and threat actors is called threat intelligence.

You can read more about current top five cyber threats and about the steps to mitigate them in our last report: Key Cyber Risks and Threats.


CISO as a Service

LIFARS’ CISO as a Service is designed to address organizations’ information security leadership needs. Our CISOs are highly skilled at establishing, improving, and transforming Cybersecurity Programs focused on maximizing business values by minimizing risks and optimizing opportunities.


A vulnerability is a weakness in hardware, software, personnel or procedures, which may be exploited by threat actors in order to achieve their goals.

Vulnerabilities can be physical, such as a publicly exposed networking device, software-based, like a buffer overflow vulnerability in a browser, or even human, which includes an employee susceptible to phishing attacks.

The process of discovering, reporting and fixing vulnerabilities is called vulnerability management. A vulnerability, to which fix is not yet available, is called a zero-day vulnerability.


Risk is a combination of the threat probability and the impact of a vulnerability. In other words, risk is the probability of a threat agent successfully exploiting a vulnerability, which can also be defined by the following formula:


Risk = Threat Probability * Vulnerability Impact.


Identifying all potential risks, analyzing their impact and evaluating appropriate response is called risk management. It is a never-ending process, which constantly evaluates newly found threats and vulnerabilities. Based on a chosen response, risks can be avoided, mitigated, accepted, or transferred to a third-party.

Companies should be aware of common cyber threats and vulnerabilities in their infrastructure in order to identify and properly respond to all of the risks. A well-planned risk management will help secure your data and save your company from an undesirable down-time.