12/21/2022 The Difference Between Threat, Vulnerability, and Risk, and Why You Need to Know | Trava

The Difference Between Threat,

Vulnerability, and Risk, and Why You
Need to Know
BLOG POST

Dive into how threats, vulnerability, and risk impact cybersecurity

management strategy.

By Connie Glover , Senior Marketing Manager

Cyber threats are real—and more common than you think. According to the FBI’s
2020 Internet Crime Report, the Internet Crime Complaint Center received
791,790 cyber crime complaints in 2020. That’s a 69 percent increase from 2019,
and the number of ransomware attacks continues to rise. In July, IT management
software company Kaseya fell victim to a supply chain ransomware attack, which
affected 1,500 businesses. 

As ZDNet explained, hackers took advantage of a vulnerability in Kaseya’s

software against multiple managed service providers (MSP). And although Kaseya
said they had not found evidence that any of their SaaS customers had been
compromised, some businesses closed and went offline due to the attack. It
wasn’t worth the risk to stay online and fall victim to additional threats. 

https://www.travasecurity.com/blog/the-difference-between-threat-vulnerability-and-risk-and-why-you-need-to-know 1/5
12/21/2022 The Difference Between Threat, Vulnerability, and Risk, and Why You Need to Know | Trava

The word “threat” is often confused with (or used interchangeably with) the words
“risk” and “vulnerability.” But in cybersecurity, it’s important to differentiate
between threat, vulnerability, and risk. A threat exploits a vulnerability and can
damage or destroy an asset. Vulnerability refers to a weakness in your hardware,
software, or procedures. (In other words, it’s a way hackers could easily find their
way into your system.) And risk refers to the potential for lost, damaged, or
destroyed assets. 

But that’s just the brass tacks. Let’s take a deeper look at the difference between
threat, vulnerability, and risk, and why you need to know. 

What are threats?

Threats have the potential to steal or damage data, disrupt business, or create
harm in general. To keep that from happening, you need to know what cyber
threats exist. In general terms, there are three categories. 

Intentional threats: Things like malware, ransomware, phishing, malicious code, and
wrongfully accessing user login credentials are all examples of intentional threats. They
are activities or methods bad actors use to compromise a security or software system. 
Unintentional threats: Unintentional threats are often attributed to human error. For
example, let’s say you forgot to lock the back door before leaving for work. While
you’re at the office, a thief seizes the opportunity to sneak into your home and steal
your valuables. Even though you didn’t mean to leave the door unlocked, the thief took
Solutions Resources Company Book a Demo LOGIN
advantage of your home’s vulnerability. In the cybersecurity industry, someone might
leave the door to the IT servers unlocked or leave sensitive information unmonitored.
An employee could forget to update their firewall or anti-virus software. Current and
even former employees may also have unnecessary access to sensitive data, or simply
be unaware of the threats. (Which is why employee training is so important.)
Natural threats: While acts of nature (floods, hurricanes, tornadoes, earthquakes, etc.)
aren’t typically associated with cybersecurity, they are unpredictable and have the
potential to damage your assets. 

To protect yourself from cyber threats, continuously monitor all data

environments and use two-factor authentication. You should also teach your
employees how to recognize phishing attempts and other tactics cyber criminals
use to trick people into helping them gain access to sensitive data. For additional

https://www.travasecurity.com/blog/the-difference-between-threat-vulnerability-and-risk-and-why-you-need-to-know 2/5
12/21/2022 The Difference Between Threat, Vulnerability, and Risk, and Why You Need to Know | Trava

ways to protect you and your company’s data, check our ebook  “10 Cyber Risk
Management Issues Every Business Needs to Address ASAP.”

What is vulnerability? 

Vulnerability refers to a weakness in your hardware, software, or procedures. It’s a

gap through which a bad actor can gain access to your assets. In other words,
threats exploit vulnerabilities. 

Take Kaseya. The FBI described the incident as “a vulnerability in Kaseya VSA
software against multiple managed service providers (MSPs) and their customers.”
Huntress, a cybersecurity firm, tracked 30 MSPs involved in the breach and
concluded that the attack was due to an authentication bypass vulnerability in
Kaseya’s VSA web interface. It allowed attackers to work around authentication
controls and upload malware. 

You should know that small to medium-sized businesses tend to be more

vulnerable to attacks. That’s because few can afford a dedicated IT/security
department, making it less likely that there are security procedures in place. (That
said, cyber attacks affect companies of all sizes.) Companies should be aware of
their threats and vulnerabilities in order to identify and respond to all of the risks.
To determine the best way to approach a specific threat, perform regular threat
assessments. Or try penetration testing, which recreates real-world threats to
discover vulnerabilities. 

What does risk mean?

Cyber risk is the intersection of assets, threats, and vulnerabilities. It’s the
potential for loss, damage, or destruction of an asset when a threat takes
advantage of a vulnerability. Put another way: 

Threats + Vulnerability = Risk

https://www.travasecurity.com/blog/the-difference-between-threat-vulnerability-and-risk-and-why-you-need-to-know 3/5
12/21/2022 The Difference Between Threat, Vulnerability, and Risk, and Why You Need to Know | Trava

To determine your level of cyber risk, you have to understand the types of threats
that are out there and know your system’s vulnerabilities. Although cybersecurity
is an ever-moving target, you can keep your overall risk low. Trava has a free cyber
risk checkup tool that runs a top-level scan of your domain. (The lower your score,
the lower your risk.) By determining your level of risk, you can create a solid cyber
risk management plan. 

Use what you know to develop a cyber risk management plan. 

Capturing, storing, and using sensitive data is essential for most organizations,
but holding and accessing it means you have the responsibility to protect it.
Understanding the difference between threat, vulnerability, and risk is the first
step toward developing a cyber risk management plan. After all, cyber risk is
business risk. If you can’t keep your customers’ data safe, you may lose their
business, not to mention your reputation.

RECENT POSTS FROM THE TRAVA TEAM:

Cybersecurity Employee Cybersecurity What is Risk

is not a one- Spotlight: Trends Management?
size-fits-all Matt
Garofalo

TOPICS COVERED IN THIS POST:

No items found.

https://www.travasecurity.com/blog/the-difference-between-threat-vulnerability-and-risk-and-why-you-need-to-know 4/5