Terms such as cyber threats, vulnerabilities, and risks are often used interchangeably and confused. This post aims to define each term, highlight how they differ, and show how they are related to one another.

Cyber Threats

Cyber threats, or simply threats, refer to cybersecurity circumstances or events with the potential to cause harm by way of their outcome. A few examples of common threats include a social-engineering or phishing attack that leads to an attacker installing a trojan and stealing private information from your applications, political activists DDoS-ing your website, an administrator accidentally leaving data unprotected on a production system causing a data breach, or a storm flooding your ISP’s data center.

Cybersecurity threats are actualized by threat actors. Threat actors usually refer to persons or entities who may potentially initiate a threat. While natural disasters, as well as other environmental and political events, do constitute threats, they are not generally regarded as being threat actors (this does not mean that such threats should be disregarded or given less importance). Examples of common threat actors include financially motivated criminals (cybercriminals), politically motivated activists (hacktivists), competitors, careless employees, disgruntled employees, and nation-state attackers.

Cyber threats can also become more dangerous if threat actors leverage one or more vulnerabilities to gain access to a system, often including the operating system.


Vulnerabilities simply refer to weaknesses in a system. They make threat outcomes possible and potentially even more dangerous. A system could be exploited through a single vulnerability, for example, a single SQL Injection attack could give an attacker full control over sensitive data. An attacker could also chain several exploits together, taking advantage of more than one vulnerability to gain more control.

Examples of common vulnerabilities are SQL Injections, Cross-site Scripting, server misconfigurations, sensitive data transmitted in plain text, and more.


Risks are usually confused with threats. However, there is a subtle difference between the two. A cybersecurity risk refers to a combination of a threat probability and loss/impact (usually in the monetary terms but quantifying a breach is extremely difficult). Essentially, this translates to the following:

risk = threat probability * potential loss

Therefore, a risk is a scenario that should be avoided combined with the likely losses to result from that scenario. The following is a hypothetical example of how risks can be constructed:

  • SQL Injection is a vulnerability
  • Sensitive data theft is one of the biggest threats that SQL Injection enables
  • Financially motivated attackers are one of the threat actors
  • The impact of sensitive data getting stolen will bear a significant financial cost (financial and reputation loss) to the business
  • The probability of such an attack is high, given that SQL Injection is an easy-access, widely exploited vulnerability and the site is externally facing

Therefore, the SQL Injection vulnerability in this scenario should be treated as a high-risk vulnerability.

The difference between a vulnerability and a cyber threat and the difference between a vulnerability and a risk are usually easily understood. However, the difference between a threat and a risk may be more nuanced. Understanding this difference in terminology allows for clearer communication between security teams and other parties and a better understanding of how threats influence risks. This, in turn, may help prevent and mitigate security breaches. A good understanding is also needed for effective risk assessment and risk management, for designing efficient security solutions based on threat intelligence, as well as for building an effective security policy and a cybersecurity strategy.

Frequently asked questions

Threats are cybersecurity circumstances or events that may potentially cause harm by way of their outcome. For example, an administrator accidentally leaving data unprotected on a production system.

Read about the potential outcomes of leaving data exposed.

Vulnerabilities simply refer to weaknesses in a system. They make threat outcomes possible and potentially even more dangerous. Examples of vulnerabilities are SQL injections, cross-site scripting (XSS), and more.

See what vulnerabilities Acunetix can find for you.

Risk refers to the combination of threat probability and loss/impact. For example, if you have an SQL injection vulnerability there is a threat of sensitive data theft. The potential impact is significant financial and reputation loss, and the probability of an attack is high. Therefore, this is a high-risk situation.

See how an SQL injection may lead to complete system compromise.

First of all, Acunetix finds vulnerabilities for you: web vulnerabilities, misconfigurations, weak passwords, and any other potential weaknesses in your web resources. However, it also describes potential threats and automatically assesses the risks. Acunetix is a complete web vulnerability assessment and management tool.

See what Acunetix Premium can do for you.

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.