Grade 11 ITC · Term 4 · Digital Security Textbook
Unit 1 · Security Concepts & Threats · Chapter 2

Threat, Vulnerability, Risk and Attack

Week 1 · Day 2 · Benchmark 11.4.2.1 Explain core security concepts and identify common threats
Essential question

How do small weaknesses become big security problems?

Learning objectives
  • Define threat, vulnerability, risk and attack
  • Distinguish between the four terms using examples
  • Rank school IT assets by risk

Overview

People often use the words threat, vulnerability, risk and attack as if they mean the same thing. In security they mean four different things, and mixing them up makes it hard to plan defences. Think of a house: a burglar is a threat, an unlocked window is a vulnerability, the chance of being robbed is a risk, and someone actually climbing through the window is an attack. The same logic applies to computers.

Threat

A threat is anything or anyone that could cause harm — a hacker, a virus, a fire, or a careless user.

Vulnerability

A vulnerability is a weakness the threat can use. An out-of-date operating system, a weak password, or an unlocked server room are all vulnerabilities.

Risk

Risk is the chance that a threat exploits a vulnerability, combined with how bad the damage would be. Risk = Threat × Vulnerability × Impact.

Attack

An attack is a threat actually happening — phishing emails being sent, ransomware running, a laptop being stolen.

Activity

Rank School IT Assets

  1. In pairs, list 5 IT assets in your school (e.g. exam server, Wi-Fi, printer).
  2. For each, name one threat and one vulnerability.
  3. Score impact 1–5 and rank the assets from highest to lowest risk.
Review questions
  1. Give one threat and one matching vulnerability for a student laptop.
    Reveal answer

    Threat: malware. Vulnerability: no antivirus / no updates.

  2. Write the risk formula.
    Reveal answer

    Risk = Threat × Vulnerability × Impact.

  3. Is a locked door a threat or a control?
    Reveal answer

    A control — it reduces vulnerability.

  4. Why can risk never be zero?
    Reveal answer

    Some threats and vulnerabilities always remain; risk can only be reduced, not eliminated.

Take it home

Choose your phone as an asset. Write two threats, two vulnerabilities, and one control that would lower the risk.