Security for Beginners
by Sergey Okinchuk
The Three Things We ProtectWho Attacks, and Why
Topic 03

Threats, Vulnerabilities, and Risk

Concept

People throw the words "threat," "vulnerability," and "risk" around as if they all mean "something bad might happen." They don't, and the blur makes security impossible to think about clearly. These are three distinct things, and separating them is the single most useful habit you can build early.

Here they are in one line: a vulnerability is a weakness, a threat is something that could exploit that weakness, and risk is how likely that is to happen and how bad it would be. The rest of this page just slows that sentence down.

How the three words relate — a weakness, something that exploits it, and what that adds up to
Vulnerabilitya weakness
Threatwhat could exploit it
Riskhow likely · how bad

Vulnerability: The Weakness

A vulnerability is a flaw that could be taken advantage of. In the physical world it is a window with a broken latch. In the digital world it is a password Olivia reused across sites, an app she never updated, or a setting left switched off. On its own, a vulnerability is just a weakness sitting there — it has not hurt anyone yet. But it is the opening that everything else needs.

Threat: What Could Exploit It

A threat is the thing that could turn that weakness into actual harm. It might be a person — a burglar, a scammer, a criminal group — or it might be a piece of software, or even an event. The key is that a threat needs a vulnerability to act on. A burglar (threat) is only a problem to you if there is an unlatched window (vulnerability) for them to use.

This is why the two are so easy to confuse, and so important to keep apart: the weakness and the thing that exploits it are different halves of the same story. Fix the weakness, and the same threat can no longer touch you.

Risk: How Likely, and How Bad

Risk is where it gets practical. Risk combines two things: how likely a threat is to exploit a vulnerability, and how bad it would be if it did. A weakness that no attacker can reach is low risk, even if the flaw is serious. A weakness attackers love, guarding something valuable, is high risk. The same vulnerability can carry very different risk depending on what is exposed and to whom.

So risk is not the same as danger or fear. It is a deliberate weighing — likelihood times impact — and it is what lets defenders make sensible decisions instead of reacting to whatever sounds scariest.

Risk is neither factor alone — it is the two multiplied together
Likelihood
How probable is it that a threat exploits this weakness? A flaw attackers cannot reach stays low, even if the flaw itself is serious.
Impact
How bad would it be if it succeeded? A weakness guarding nothing important has low impact, even if attackers can reach it with ease.
Risk = Likelihood × Impact
Two equally alarming-sounding flaws can carry very different risk depending on how reachable each is and what is at stake if it is exploited.

Why Defenders Think in Risk

No one can fix every weakness; there are always more than there is time or money for. So defenders rank what to fix by risk — handling the likely, high-impact problems first and accepting that some low-risk weaknesses will be left alone for now. That is not laziness or negligence; it is the only realistic way to spend limited effort, and it is the idea behind the next topic, where we will see that perfect security is not even the goal.

Common Confusions
  • "A vulnerability and a threat are the same thing." The weakness is the vulnerability; the thing that could exploit it is the threat. A broken latch is not the same as the burglar.
  • "Every vulnerability has to be fixed right away." Defenders rank by risk. A weakness nothing can reach may sit below a smaller one that is fully exposed — fixing order follows risk, not just severity.
  • "Risk just means danger." Risk is specifically likelihood combined with impact. Two equally scary-sounding flaws can carry very different risk depending on how reachable and how costly each is.
  • "If a serious flaw exists, a breach is certain." A flaw is only an opening. Whether it leads to harm depends on a threat reaching it and the risk that follows — existence isn't the same as exploitation.
Why It Matters
  • These three words appear constantly in security writing; keeping them separate lets you read any report or headline and know exactly what is being claimed.
  • "Risk = likelihood × impact" explains why no team fixes every issue — and why that is the correct, professional approach rather than a failing.
  • The distinction sets up nearly everything later: attacks exploit vulnerabilities, defenses remove them, and decisions about both are made by weighing risk.

Knowledge Check

Olivia reuses the same password on many sites. In these terms, the reused password is a:

  • Vulnerability — a weakness that could be exploited
  • Threat — the thing doing the exploiting
  • Risk — the likelihood and impact combined
  • None of these — passwords are credentials and don't count as a threat, vulnerability, or risk

What does "risk" specifically combine?

  • How likely something is to happen and how bad it would be
  • A weakness plus the person who built the system
  • Only how severe a flaw is, ignoring whether it can be reached
  • How frightening an attack sounds when described

Why don't security teams fix every known vulnerability immediately?

  • There are always more weaknesses than resources, so they rank by risk
  • Because it is careless and negligent to leave any known weakness unfixed, no matter how minor or hard to reach
  • Because fixing vulnerabilities is against security rules
  • Because vulnerabilities aren't actually real problems

You got correct