1) A vulnerability is an inherent weakness in a system (hardware or software) that an attacker

can potentially exploit. Vulnerabilities exist in every system; “zero-day” vulnerabilities are those
that have not yet been discovered
2) A threat is any action (event, occurrence, circumstance) that could disrupt, harm, destroy, or
otherwise adversely affect an information system (and thus, an organization’s business and
operations). Viewed through the lens of the CIA triad, a threat is anything that could
compromise confidentiality, integrity, or availability of systems or data.
3) exploit In the context of cybersecurity threats and vulnerabilities, the verb exploit means to
take advantage of a vulnerability. Used as a noun, exploit refers to a tool, typically in the form of
source or binary code, that makes it easy for threat actors to take advantage of a specific
vulnerability.
4) RISK In information security, risk constitutes a vulnerability matched to a specific threat,
however, both the likelihood of the threat and the resulting impact must be considered to
determine a meaningful level of risk. Because unknown threats and vulnerabilities always exist,
risk can be reduced but never eliminated.

QUESTION TWO

Security incidents are events that may indicate that an organization's systems or data have been
compromised or that measures put in place to protect them have failed.

In IT, a security event is anything that has significance for system hardware or software, and an
incident is an event that disrupts normal operations. Security events are usually distinguished
from security incidents by the degree of severity and the associated potential risk to the
organization.

If just one user is denied access to a requested service, for example, that may be a security event
because it could indicate a compromised system. However, the access failure could also be
caused by a number of things. Typically, that one event doesn't have a severe impact on the
organization.