What’s the Difference Between Threat, Vulnerability and Risk?

If organisations are to protect their sensitive data, they need to understand the three core components of information security: threat, vulnerability and risk.

Those unfamiliar with the technicalities of information security might assume that these terms are interchangeable, but that’s not true.

This blog explains the difference between risks, threats and vulnerabilities, with examples for each.

What is an information security vulnerability?

A vulnerability is a known flaw that can be exploited to damage or compromise sensitive information.

Vulnerabilities are often associated with software flaws and how they can be exploited to perform tasks they weren’t intended for.

For instance, an attacker might exploit a vulnerability to plant malware on the organisation’s systems.

But vulnerabilities can also refer to weaknesses in physical security systems and employees.

This might be because a malicious actor can take advantage of the vulnerability to gain unauthorised access to sensitive information, or because the employee is liable to make mistakes.

Information security vulnerability examples

Software vulnerabilities include injection flaws, cross-site scripting flaws, broken access control and misconfigurations.

Physical weaknesses include things such as are broken locks that let unauthorised parties into a restricted part of your premises, and structural flaws in the building, such as a leaky pipe near a power outlet.

Other vulnerabilities include inherent human weaknesses, such as our susceptibility to phishing emails or the likelihood that we’ll misplace a sensitive file.

See also:

What is an information security threat?

An information security threat occurs when a vulnerability is exploited, whether intentionally or accidentally.

It includes any event that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party.

Information security threat examples

There are three types of threat. The first are unintentional threats, such as an employee sending sensitive files to the wrong person or losing a hard drive.

In this instance, an employees’ susceptibility to make a mistake is the vulnerability. Meanwhile, the threat is the event itself that causes that mistake – i.e. the act of sending sensitive files to the wrong person.

The second type of threat are natural events, which can be caused by poor weather (such as a hurricane or snowstorm) or infrastructural damage (such as a burst pipe or a fire).

Again, the vulnerability is the organisation’s premises being located somewhere that may experience bad weather or infrastructural damage. The threat is the event related to that.

Finally, there are intentional threats, which comprise the actions of criminal hackers and malicious insiders.

For example, an attacker may knock an organisation offline with a ransomware attack, and a malicious insider may misappropriate sensitive information.

What is information security risk?

An information security risk is defined as the effects of a threat exploiting a vulnerability.

Risks include financial losses, loss of privacy, reputational damage and regulatory action.

Information security risk examples

A typical example of a risk is an employee falling for a phishing scam.

These are malicious emails that trick people into handing over their login credentials or downloading an attachment containing malware.

In this example, the phishing email is the threat and the employee’s susceptibility to be fooled is the vulnerability.

If they mistakenly open the attachment, the malware will be released onto their system and cause huge problems. Often, this entails attackers using spyware to monitor what the employee does on that system, thus giving them access to databases and other sensitive files.

The other form of phishing involves a more direct attack. The scammer makes the employee think they are logging in to a legitimate service but are instead handing over their username and password.

These are the risks associated with phishing scams.

Another example of an information security risk is a ransomware attack. In this case, the ransomware is the threat and how they plant it (often a system flaw or a phishing email) is the vulnerability.

Once infected, the organisation is locked out of its systems, with the attackers demanding a fee in exchange for the decryption key.

Given that cyber security experts warn against paying ransomware attackers, the organisation must resort to manual processes where possible. This will slow down processes and could result in deadlines not being met and contracts not being fulfilled.

Planning for vulnerabilities, threats and risks

Now that you understand the differences between vulnerabilities, threats and risks, you can see that information security comprises an intricate set of circumstances.

You should also be able to see a logical approach to the way risk management works. If you take an asset-based approach, you start with the information or location that could be compromised. You should then work out the ways it could be damaged (vulnerability) and how that could occur (threat).

Once you’ve defined those, you can identify your risks.

Of course, that’s only the first part of information security risk management; there’s also the managing aspect. This involves documenting, assessing and prioritising risks, then implementing measures to keep you protected.

This can be a labour-intensive task, but with our risk management tool, vsRisk, the hard work has been done for you.


This software package provides a fast and straightforward way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organisational roles to each asset group, applying relevant threats and risks by default.

Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.

Try vsRisk today with our free 30-day trial.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.