A risk is the likehood that an organization would face a vulnerability being exploited or a threat becoming harmful. Information system can generate many direct and indirect risks. These risk lead to a gap between the need to protect systems and the degree of protection applied.
A threat is an entity or event with potential to cause harm to a computer system. This may arise from technical conditions (program bugs, disk crash), natural disaster (fires, floods) environmental conditions (electric surges), human factors (lack of training, errors and omission), unauthorized access (hacking) or viruses. Threats may arise from both intentional and unintentional acts and may come from internal and external sources. Threats should be identified and analyzed to determine the likelihood of their occurrence and potential to harm computer assets.
Vulnerability is the weakness in the system safeguards that exposes the system to threats. It may be a weakness in an information system, cryptographic system or other components. For example, system security procedures, hardware designs, internal controls that could be exploited a threat. Vulnerabilities potentially ‗allow‘ a threat to harm or exploit the system.
Exposure is the extent of loss an organization has to face when a risk materializes. It is not just the immediate impact, but the real harm may occur in a long run. For example: loss of business, failure to perform the system‘s mission, loss of reputation, privacy violation, and loss of resources.