Free Ebook cover Cybersecurity Fundamentals for Absolute Beginners

Cybersecurity Fundamentals for Absolute Beginners

New course

14 pages
All courses > Information Technology > Cyber Security ::

Threats, Vulnerabilities, and Risk: Clear Differences

Capítulo 5

Estimated reading time: 11 minutes

+ Exercise

Why these three words get mixed up

In cybersecurity, people often use “threat,” “vulnerability,” and “risk” as if they mean the same thing. They do not. Mixing them up leads to bad decisions: you might spend money fixing the wrong problem, or you might underestimate a serious exposure because “nothing bad has happened yet.” This chapter separates the terms clearly and shows how to apply them in practical, everyday situations.

A useful way to think about them is: a threat is something that could cause harm, a vulnerability is a weakness that could be used, and risk is the combined likelihood and impact of harm happening in your specific context.

Threat: the “who/what could cause harm”

A threat is any circumstance, actor, event, or condition that could negatively affect your systems, accounts, devices, or data. Threats can be intentional (a criminal) or unintentional (a mistake), human or non-human (a power outage), targeted or opportunistic.

Common categories of threats

  • Cybercriminals: people trying to steal money, credentials, or valuable data, often using phishing, malware, or scams.
  • Malicious insiders: employees or contractors who misuse access on purpose.
  • Careless insiders: well-meaning people who make mistakes (sending data to the wrong person, misconfiguring a setting, losing a device).
  • Automated internet “noise”: bots scanning the internet for exposed services and known weaknesses.
  • Third parties: vendors, partners, or service providers whose compromise affects you.
  • Physical/environmental events: theft of a laptop, fire, flood, power loss, hardware failure.

What a threat is not

A threat is not the weakness itself. “We have an unpatched server” is not a threat; it is a vulnerability. “Ransomware operators might exploit unpatched servers” is a threat. A threat exists even if you are perfectly secure; it is about potential sources of harm in the world.

Practical examples of threats

  • A phishing campaign targeting employees of small businesses.
  • A burglar stealing devices from cars or offices.
  • A botnet scanning the internet for exposed remote access services.
  • A disgruntled employee exporting customer lists before quitting.
  • A storm causing a prolonged power outage in your area.

Vulnerability: the “weakness that can be exploited”

A vulnerability is a weakness in technology, process, or human behavior that could be exploited by a threat to cause harm. Vulnerabilities can be technical (software bugs), configuration-related (settings), procedural (missing approvals), or human (lack of training, fatigue, over-trusting messages).

Continue in our app.

You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.

Or continue reading below...
Download App

Download the app

Types of vulnerabilities (with beginner-friendly examples)

  • Software vulnerabilities: a known bug in an operating system or application that allows unauthorized access.
  • Misconfigurations: a cloud storage bucket accidentally set to public, or a database exposed to the internet.
  • Weak authentication: reused passwords, short passwords, no multi-factor authentication (MFA).
  • Excessive permissions: users having admin rights they do not need.
  • Unsecured endpoints: laptops without disk encryption, phones without screen locks.
  • Process gaps: no procedure for approving bank detail changes, no offboarding checklist.
  • Human factors: employees not trained to spot social engineering, or being pressured to “act fast.”

Vulnerabilities can exist without being exploited

Having a vulnerability does not automatically mean you will be attacked successfully. It means there is a weakness that could be used. Many organizations have vulnerabilities that remain unexploited for months, while others are exploited within minutes of exposure. The difference is often how visible the weakness is, how easy it is to exploit, and how active the relevant threats are.

Practical examples of vulnerabilities

  • An employee account that uses a reused password from another website.
  • A router still using the default admin password.
  • A file share that allows “Everyone” to read sensitive documents.
  • A laptop with no automatic screen lock.
  • A critical security update not installed for weeks.

Risk: the “chance of loss in your situation”

Risk is the possibility that a threat will exploit a vulnerability and cause harm, considering both likelihood (how probable it is) and impact (how bad it would be). Risk is contextual: the same vulnerability can represent high risk in one environment and low risk in another.

A simple risk formula you can actually use

A common beginner-friendly model is:

Risk = Likelihood × Impact

This is not precise math; it is a decision tool. You can score likelihood and impact on a simple scale (for example 1–5) and compare items to decide what to fix first.

Why risk is not the same as vulnerability

A vulnerability is a weakness. Risk is the expected harm from that weakness in the presence of relevant threats and your environment. If a vulnerability is present but there is no realistic threat or the impact would be minimal, the risk may be low. Conversely, a small-seeming weakness can be high risk if it is easy to exploit and would cause major damage.

Risk depends on context (two quick scenarios)

  • Scenario A: A test server with fake data is unpatched but is isolated from the internet. The vulnerability exists, but likelihood of exploitation may be low if access is restricted. Impact is also low because the data is not real.
  • Scenario B: A customer database server is unpatched and exposed to the internet. Likelihood is higher because it is visible to scanners, and impact is high because the data is sensitive and operations depend on it.

Putting it together: a clear mapping

Use this mental checklist:

  • Threat: What could cause harm? (actor/event)
  • Vulnerability: What weakness could be used? (flaw/gap)
  • Risk: What is the chance and consequence of harm here? (likelihood + impact)

Another way to phrase it:

  • Threat = “Someone/something might try.”
  • Vulnerability = “We have a weakness they could use.”
  • Risk = “So what could happen to us, and how bad would it be?”

Step-by-step: identify threats, vulnerabilities, and risks for one asset

This practical method works for a personal device, a small business, or a department inside a larger organization. You will pick one “asset” (something you care about protecting) and walk through a structured assessment.

Step 1: Choose one asset and define its boundaries

Pick something specific. Examples: “company email accounts,” “the payroll spreadsheet,” “the online store admin panel,” or “a personal smartphone.” Define what is included and what is not. For example, “company email accounts” might include Microsoft 365/Google Workspace accounts, mailboxes, and recovery settings, but not the entire laptop fleet.

Step 2: List realistic threats to that asset

Brainstorm threats that make sense for your situation. Keep it grounded: if you are a small local business, “nation-state espionage” is usually not your top concern, but phishing and credential theft likely are.

For “company email accounts,” realistic threats might include:

  • Phishing messages attempting to steal passwords or MFA codes.
  • Credential stuffing using leaked passwords from other sites.
  • Account takeover via weak recovery options (e.g., personal email recovery).
  • Malicious insider forwarding sensitive mail externally.

Step 3: Identify vulnerabilities that could enable those threats

Now list weaknesses that would make those threats more likely to succeed. Examples for “company email accounts”:

  • No MFA enabled for all users.
  • Users reuse passwords across sites.
  • Mailbox forwarding rules allowed without alerts.
  • Too many users have admin roles.
  • Security awareness training is missing or outdated.
  • Account recovery uses personal email addresses that are not protected.

Step 4: Describe the “risk statements” in plain language

Turn the threat + vulnerability into a risk statement that includes the impact. A good template is:

Because of [vulnerability], [threat] could cause [impact] to [asset].

Examples:

  • Because MFA is not enforced, phishing could lead to email account takeover, resulting in fraudulent invoice requests sent to customers.
  • Because forwarding rules are not monitored, an attacker could silently exfiltrate sensitive emails, causing data exposure and compliance issues.

Step 5: Score likelihood and impact (simple 1–5 scale)

Create a small table (even in a notebook). Define what your numbers mean so you stay consistent.

  • Likelihood 1: rare/unlikely; 5: very likely/expected.
  • Impact 1: minimal inconvenience; 5: severe financial/legal/operational harm.

Example scoring:

  • Email takeover via phishing without MFA: Likelihood 4, Impact 4 → Risk score 16.
  • Malicious insider forwarding data: Likelihood 2, Impact 4 → Risk score 8.

Step 6: Decide treatment: reduce, transfer, accept, or avoid

Once you have a risk score, decide what to do:

  • Reduce: add controls to lower likelihood or impact (enable MFA, restrict admin roles, add alerts).
  • Transfer: shift some financial impact (insurance, contractual terms), while still reducing where practical.
  • Accept: consciously decide to live with it (usually for low scores) and document why.
  • Avoid: stop the activity that creates the risk (e.g., stop using a risky tool or exposure).

Practical examples that show the differences clearly

Example 1: Phishing email to finance

Threat: A scammer sends a convincing message pretending to be a supplier asking to change bank details.

Vulnerability: The company has no verification process for bank detail changes; staff are pressured to act quickly; no second-person approval.

Risk: Money could be transferred to the attacker’s account, causing direct financial loss and potential inability to pay real suppliers.

Notice how the threat is the scammer and the action, the vulnerability is the missing process, and the risk is the expected harm in your environment.

Example 2: Lost laptop in a coffee shop

Threat: Theft or loss of a device in a public place.

Vulnerability: No full-disk encryption; weak screen lock; sensitive files stored locally.

Risk: Whoever gets the laptop could access stored documents and saved sessions, leading to data exposure and account compromise.

Example 3: Publicly exposed database port

Threat: Automated scanners and attackers searching for exposed databases.

Vulnerability: Database port open to the internet; weak credentials; lack of network restrictions.

Risk: Unauthorized access could lead to data theft, service disruption, and costly incident response.

Common beginner mistakes (and how to correct them)

Mistake 1: Calling a vulnerability a threat

Incorrect: “Our threat is that we haven’t patched the server.” Correct: “Our vulnerability is that the server is unpatched; the threat is attackers exploiting known bugs; the risk is downtime or data exposure.”

Mistake 2: Treating “threat” as only “hackers”

Threats include mistakes, misdelivery, lost devices, and outages. If you only think about criminals, you will miss common sources of harm that are often easier to address with good processes.

Mistake 3: Ignoring impact because likelihood feels low

Some events are rare but catastrophic. For example, a single compromised admin account might be unlikely, but the impact could be severe. Risk scoring forces you to consider both sides.

Mistake 4: Fixing the most visible vulnerability, not the highest risk

Beginners often chase whatever looks most technical (like a scary vulnerability name) while ignoring a simple, high-risk weakness (like no MFA). Prioritize based on likelihood and impact, not on how complex the fix sounds.

Step-by-step: build a simple risk register (beginner version)

A risk register is just a list of risks with enough detail to track decisions. You can do this in a spreadsheet.

Step 1: Create columns

Use these columns:

  • Asset
  • Threat
  • Vulnerability
  • Risk statement
  • Likelihood (1–5)
  • Impact (1–5)
  • Score (L×I)
  • Current controls (what you already do)
  • Planned controls (what you will add)
  • Owner (who is responsible)
  • Due date
  • Status

Step 2: Add 5–10 risks for one area

Start small. For example, focus only on “employee accounts” or “customer data handling.” The goal is not perfection; it is clarity and prioritization.

Step 3: Write specific controls, not vague intentions

Vague: “Improve security.” Specific: “Enforce MFA for all accounts by date X,” “Disable legacy authentication,” “Enable alerts for new inbox forwarding rules,” “Require two-person approval for bank detail changes.”

Step 4: Review and update regularly

Risk changes when you change systems, add staff, adopt new tools, or when threat activity increases. A simple monthly or quarterly review keeps the register useful.

How controls relate to threats, vulnerabilities, and risk

A control is a safeguard that reduces risk. Controls can reduce likelihood (making exploitation harder) or reduce impact (limiting damage). Controls do not eliminate threats; they address vulnerabilities and reduce risk.

Examples of controls mapped to what they change

  • MFA: reduces likelihood of account takeover even if passwords are stolen.
  • Least privilege: reduces impact by limiting what a compromised account can do.
  • Patch management: reduces vulnerability by removing known weaknesses.
  • Backups with testing: reduces impact of destructive events by enabling recovery.
  • Security monitoring and alerts: reduces time-to-detect, which often reduces impact.
  • Approval workflows: reduces likelihood of successful fraud caused by social engineering.

Mini-lab: classify statements correctly

Practice by labeling each item as Threat, Vulnerability, or Risk. Then check your reasoning.

  • “Employees sometimes approve login prompts without reading them.” (Vulnerability: human behavior weakness)
  • “Attackers send push-notification spam to trick users into approving MFA.” (Threat: attacker tactic)
  • “An attacker could take over an account and access shared files, causing data exposure.” (Risk: harm scenario)
  • “The shared drive allows all staff to view HR documents.” (Vulnerability: excessive permissions)
  • “A contractor account remains active after the contract ends.” (Vulnerability: offboarding gap)
  • “A former contractor could still log in and download internal documents.” (Risk: threat exploiting vulnerability leading to impact)

Quick checklist you can use in real conversations

When someone raises a security concern, ask these questions to keep terms clear:

  • What is the threat? Who/what could cause harm?
  • What is the vulnerability? What weakness makes it possible?
  • What is the impact? What would we lose or disrupt?
  • How likely is it here? Based on exposure, attractiveness, and existing controls.
  • What control would reduce it most? Prefer high-impact, practical changes.

Now answer the exercise about the content:

Which statement correctly describes risk in cybersecurity?

You are right! Congratulations, now go to the next page

You missed! Try again.

Risk combines how likely harm is and how severe it would be if a threat exploits a vulnerability. It depends on your specific situation, not just the presence of a weakness.

Next chapter

Common Attacker Motivations and What They Target

Arrow Right Icon
Learn Cyber Security

LearnCyber Security

Discover free online courses in Cyber Security, from fundamentals to advanced topics. Gain skills with free certifications in IT Security, Pen Testing, and more today!

 Learn Information Technology

LearnInformation Technology

Our IT free online courses offer top-notch training in the latest technologies and tools, including programming languages, web development, cybersecurity, and more.
Download the app to earn free Certification and listen to the courses in the background, even with the screen off.
QR Code - Baixar Cursa - Cursos Online

Download our app via QR Code or the links below:.

Get it on Google Play Get it on App Store