Difference among threat, vulnerability and risk

In today’s world, information and protecting that information are one of the critical tasks for the companies. Because every customer wants to ensure that you are keeping their information safe, if you can’t keep their information safe you might loose your business. So , in order to handle information security issues that may impact your business, you should understand the relationship between 3 components- Threat , vulnerability and risk.

Lets start with the things that we are going to protect , called Assets. Assets are what we are going to protect, it includes- people, property, and data. People may include employees and customers of the company. Property may include tangible and intangible items . Data includes software code, company records and other intangible items.


Threat refers to an event that can lead to an undesired outcome such as damage or loss of an asset. Threats may be uncontrollable and are difficult or impossible to identify in advance. In order to understand threats, we should try to understand relevant agents and their mindset , assets to be affected, possible actions against assets.

Some common examples of threats are:-

  • Fire in the office
  • Employees of the organization leaking information to its competitors
  • Change in government policies
  • Market influences


Vulnerability can be defined as the weakness or loop hole in our systems. It is a weakness of any  program that can be exploited by threats for gaining any unauthorized access to the assets. In other words, a application vulnerability that can lead to an successful attack.

For example, this leaves your business open to both intentional and unintentional threats when a team member resigns and you forget to disable their access to external accounts, change logins or remove their names from company records.


Risk can be defined as the potential for damage or harm when a threat exploits a vulnerability. It may includes financial losses, privacy loss, reputation damage and any other kind of loss. The risk to your company would be information loss or a business interruption as a result of failing to address your vulnerabilities.

In other words,

we can say Assets + Threats + Vulnerability = Risk

In case of any help or query, please contact us or raise a ticket.

Category(s) Uncategorized
. . .


Add Your Comment

Be the first to comment.