A vulnerability is a weakness or flaw found in software and operating systems that threats try to exploit. Threats are malicious files or programs that attack an application’s or operating system’s vulnerability to gain access to a computer. Vulnerability is essentially a weakness, found in a program. Threats come in many forms, depending on their mode of attack. From viruses to Trojans, spyware and bots, threats have evolved into sophisticated programs intended to harm computers.
Risk is a function of When a threat exploits vulnerabilities it creates a risk of data loss, damage or destruction of assets. Threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, one can have vulnerability, but if there is no threat, then there is little/no risk.
Accurately assessing threats and identifying vulnerabilities is critical to understanding the risk to assets. Understanding the difference between threats, vulnerabilities, and risk is the first step.