Vulnerability vs Threat vs Risk: The Difference
These three words get used interchangeably but mean very different things. Simply: a vulnerability is a weakness, a threat is something that could exploit it, and risk is the likelihood and impact of that actually happening. Getting them right is fundamental security literacy.
A simple example
An unlocked window is a vulnerability. A burglar is a threat. The risk is the chance a burglar uses that window, times the damage they'd do. Fix the vulnerability (lock it), and the threat still exists but the risk drops. This is exactly how security teams prioritise.
CVE and CVSS
Specific vulnerabilities get a public ID — a CVE (Common Vulnerabilities and Exposures) number — and a severity score via CVSS (0–10). Analysts use these to decide what to patch first: high CVSS + exposed + threatened = urgent. Vulnerability management is a core security function taught in CyberOps.
Frequently asked questions
What is the difference between a vulnerability and a threat?
A vulnerability is a weakness that could be exploited; a threat is the actor or event that could exploit it. Risk combines the two with likelihood and impact.
What is a CVE?
A Common Vulnerabilities and Exposures identifier — a unique public ID assigned to a specific known vulnerability.
What does CVSS measure?
The severity of a vulnerability on a 0–10 scale, helping teams prioritise which to patch first.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.