Not long ago I was working on a threat modeling project, and found that I was rather confused by the distinction between a threat and a vulnerability. This might not seem like a big deal at first, but since the two are dealt with at different stages in the risk assessment process, and vulnerabilities depend on threats, it is critical to have a good understanding of the two.

So first off, just what is a threat?

A threat is something that can compromise some aspect of your system. This includes things like a denial of service attack preventing you from accessing resources, the theft of intellectual property residing in your system, or even damaging your public image. In other words, a threat is something which you worry about happening to one of your assets.

Well then, what is a vulnerability? A vulnerability is a mechanism which allows an attacker to bring your worst fears to life. That is to say, a vulnerability is a way in which a threat can be actualized.

A threat can be likened to a plan to write some software, and the vulnerability to its actual implementation.

For a couple examples of a threat and a related vulnerability:

• Where the threat is that your server is taken offline and thus cannot be accessed, a potential vulnerability is that you have low bandwidth and thus can fall prey to a DDoS attack.

• Where the threat is that your intellectual property is stolen from files on the server, a potential vulnerability is that the files are world readable on a web server.

Obviously those examples are very simple, and far more complex threats and vulnerabilities are common. However these two examples should serve as a good starting point for understanding the distinction.