Risks, threats and vulnerabilities are three of the most commonly mixed up terms in cybersecurity (Another is Cybersecurity and Information security). It is not uncommon to be slightly confused in separating the definitions of these terms and/or to use them intermittently. This article will provide a simple differentiation among the three concepts. First, a definition of terms:

Assets: These are the people, infrastructure and/or information belonging to an organisation which may be targeted by attackers. Gartner defines a 'technology asset' as an asset that can generate, receive or process digital information to support business activity. The goal of cybersecurity is the protection of information being transferred between these technology assets.

Vulnerabilities: A vulnerability is a flaw inherent in a technology asset which can be exploited by an attacker to gain unauthorised access to the technology asset.

Threats: These are the different sources of cyber-attacks on technology assets. A threat is anything/anyone that can exploit a vulnerability, intentionally or unintentionally, in order to attack/infiltrate an information asset.

Risks: Risks are the potentials for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.

Essentially, risks are functions of threats exploiting vulnerabilities to attack technology assets. One of the key goals of cyber-security is the reduction of cyber risks i.e. the probability that prevalent threats will exploit existing vulnerabilities on technology assets to carry out cyber-attacks. This can be done by implementing relevant controls on assets and mitigating existing vulnerabilities in information assets. These two activities will serve to reduce cyber-security risk.

This is aptly captured by the risk equation:

R = A + V + T

Risk = Assets + Vulnerabilities + Threats.

Therefore, reducing risks to an organisation hinges on security engineers understanding the current threat landscape, mitigating vulnerabilities existing on information assets, and implementing controls to prevent risks from materializing.