Threat, Vulnerability, Risk and Attack
How do small weaknesses become big security problems?
- Define threat, vulnerability, risk and attack
- Distinguish between the four terms using examples
- Rank school IT assets by risk
Overview
People often use the words threat, vulnerability, risk and attack as if they mean the same thing. In security they mean four different things, and mixing them up makes it hard to plan defences. Think of a house: a burglar is a threat, an unlocked window is a vulnerability, the chance of being robbed is a risk, and someone actually climbing through the window is an attack. The same logic applies to computers.
Threat
A threat is anything or anyone that could cause harm — a hacker, a virus, a fire, or a careless user.
Vulnerability
A vulnerability is a weakness the threat can use. An out-of-date operating system, a weak password, or an unlocked server room are all vulnerabilities.
Risk
Risk is the chance that a threat exploits a vulnerability, combined with how bad the damage would be. Risk = Threat × Vulnerability × Impact.
Attack
An attack is a threat actually happening — phishing emails being sent, ransomware running, a laptop being stolen.
Rank School IT Assets
- In pairs, list 5 IT assets in your school (e.g. exam server, Wi-Fi, printer).
- For each, name one threat and one vulnerability.
- Score impact 1–5 and rank the assets from highest to lowest risk.
- Give one threat and one matching vulnerability for a student laptop.
Reveal answer
Threat: malware. Vulnerability: no antivirus / no updates.
- Write the risk formula.
Reveal answer
Risk = Threat × Vulnerability × Impact.
- Is a locked door a threat or a control?
Reveal answer
A control — it reduces vulnerability.
- Why can risk never be zero?
Reveal answer
Some threats and vulnerabilities always remain; risk can only be reduced, not eliminated.
Choose your phone as an asset. Write two threats, two vulnerabilities, and one control that would lower the risk.