Having mapped attack surfaces across digital, physical, human, and supply chain domains, we now need a framework to prioritize what to protect first. The foundational concepts of risk management β risk, threat, and vulnerability β are frequently conflated even by experienced professionals. A threat is an actor or event with the potential to cause harm. A vulnerability is a weakness that can be exploited. Risk is the intersection: the likelihood that a threat will exploit a vulnerability, multiplied by the impact if it does. Clear definitions drive clear decisions.
A vulnerability is any weakness in an asset or control that can be exploited. This includes software bugs (SQL injection), misconfigurations (open S3 bucket), process gaps (no offboarding procedure for terminated employees), and architectural flaws (flat network with no segmentation). The CVE (Common Vulnerabilities and Exposures) system catalogs publicly known software vulnerabilities with unique identifiers and severity scores (CVSS). But vulnerabilities also exist outside of CVEs β an unlocked server room is a vulnerability with no CVE number.
A threat is any circumstance or event with the potential to adversely impact organizational operations, assets, or individuals. Threat actors (the 'who' from Module 2) are one category, but natural disasters, power failures, and hardware degradation are also threats. The key distinction: a vulnerability without a threat is a theoretical risk, but a vulnerability with an active, capable threat actor targeting it is an imminent incident. Threat intelligence feeds provide data on which threat actors are actively exploiting which vulnerabilities.
Risk = Likelihood Γ Impact. This formula (with variations) is the backbone of security decision-making. Likelihood is the probability that a threat will exploit a vulnerability. Impact is the magnitude of harm β financial loss, reputational damage, regulatory penalties, operational disruption, or life-safety consequences. A critical vulnerability with CVSS 10.0 on an internet-facing production server represents high risk because likelihood and impact are both high. The same vulnerability on an air-gapped lab machine with no data has lower risk because impact is minimal.
# Quantitative risk calculation: Risk = Likelihood x Impact
# This model helps prioritize remediation across thousands of findings
import json
vulnerabilities = [
{"id": "VULN-001", "cvss": 9.8, "exposure": "internet-facing", "asset_value": 1000000, "exploit_maturity": "weaponized"},
{"id": "VULN-002", "cvss": 9.8, "exposure": "internal-only", "asset_value": 50000, "exploit_maturity": "proof-of-concept"},
{"id": "VULN-003", "cvss": 5.5, "exposure": "internet-facing", "asset_value": 100000, "exploit_maturity": "unproven"},
]
def calculate_risk(vuln):
# Likelihood factors (0.0 - 1.0 scale)
exposure_score = {"internet-facing": 1.0, "internal-only": 0.3, "air-gapped": 0.05}
exploit_score = {"weaponized": 1.0, "proof-of-concept": 0.5, "unproven": 0.1}
likelihood = exposure_score[vuln["exposure"]] * exploit_score[vuln["exploit_maturity"]]
impact = vuln["cvss"] / 10.0 * vuln["asset_value"]
risk = likelihood * impact
return {"id": vuln["id"], "likelihood": round(likelihood, 2), "impact": round(impact, 2), "risk_score": round(risk, 2)}
ranked = sorted([calculate_risk(v) for v in vulnerabilities], key=lambda x: x["risk_score"], reverse=True)
print(json.dumps(ranked, indent=2))
# Output shows VULN-001 ranked highest despite same CVSS as VULN-002
# because internet exposure + weaponized exploit dramatically increases likelihoodThis Python script demonstrates why CVSS alone is insufficient for prioritization. VULN-001 and VULN-002 both score 9.8, but VULN-001 is internet-facing and has a weaponized exploit β its risk score is orders of magnitude higher. Security teams with limited resources must remediate VULN-001 immediately; VULN-002 can be scheduled for the next patch cycle. This is the practical value of distinguishing risk from vulnerability.
| Term | Definition | Example | You Control This? | Question It Answers |
|---|---|---|---|---|
| Vulnerability | A weakness in an asset or control | Unpatched Apache Struts (CVE-2017-5638) | Partially β you can patch, but new vulns emerge | What could go wrong? |
| Threat | An actor or event with harm potential | APT10 actively targeting managed service providers | No β threat actors are external to your control | Who or what could cause harm? |
| Risk | Likelihood Γ Impact of threat exploiting vulnerability | Likelihood: High (active exploitation). Impact: $50M (data breach). Risk: Critical | Yes β you can reduce likelihood (patch) and impact (backups) | How worried should I be? What do I fix first? |
| Control | A safeguard that reduces risk | Web Application Firewall, MFA, backups | Yes β controls are how you manage risk | How do I protect against this? |
β οΈ The most dangerous phrase in risk management is 'We have no threats targeting us.' Every organization has threats β you just haven't identified them yet. Absence of evidence is not evidence of absence. Assume threat actors are interested in your data until proven otherwise.
Verify exercises to earn β 120 XP and unlock next lab level.