seela logo

Vulnerability, threat and risk in cybersecurity

Reading time : 5 min


It is obvious to say that you can defend yourself better when you know your weaknesses. The same is true when you know your opponents.

This lesson will allow us to better understand the concepts of vulnerability, threat and risk.

These concepts are essential foundations for implementing vulnerability management and risk management processes.


A vulnerability is a weakness in a system, configuration, software or process.

A vulnerability can have several types:

  • Technical: bug in a software, bad implementation or architecture defect.
  • Human: social engineering, such as phishing for example.


Most existing vulnerabilities are recorded in a single database, called the Common Vulnerabilities and Exposures Database (CVE Database), which is overseen by the MITRE organization. They have a unique number in this database.

The technical details of the vulnerabilities are recorded in other databases, such as the best known, the National Vulnerability Database (NVD) of the NIST organization.

💡 Example: one of the most critical vulnerabilities in recent times, known as Log4Shell, is registered under the identifier "CVE-2021-44228" and is described here.

There are two ways to address a vulnerability:

  • Fix: apply a patch provided by the editor, modify the poorly implemented configuration
  • Bypass: apply a barrier that makes the vulnerability impossible to exploit, without fixing it.

💡 Workaround example: the web administration interface of a firewall contains a vulnerability. You decide to make this interface unavailable, and administer the firewall only from the command line.


A threat is any event that can harm you. These threats can be of different types, even the ones you least expect:

  • External attackers who want to extort money or harm you.
  • Natural disasters.
  • Internal attacker, such as a malicious employee.
  • External event, terrorism, war.

In order to better understand the threats that affect our digital activities, there is a process in cyber security called "Cyber Threat Intelligence" (CTI).

Many tools and frameworks exist to help understand and model these threats, you can for example read about the so-called "Cyber Kill Chain" as an introduction (a lesson dedicated to the Kill Chain is available in this course).


Risk is the combination of vulnerability and threat. If your system is vulnerable and a threat occurs, then you suffer damage.

💡 F or example, if you have computer equipment in the basement (vulnerability), the risk of flooding exists when a storm, heavy rain, or storm occurs (threats).

That's why one of the key processes in cyber security is managing these risks.

Risk management can be broken down into several phases (deliberately simplified here):

  • The inventory phase: It is essential to start by making an inventory of your resources, their vulnerabilities and the threats they face.
  • The analysis phase: this phase consists of understanding the probabilities of occurrence as well as the impacts. The impacts can be qualitative (impossible to use the accounting application) or quantitative (loss of 10,000 euros of equipment).
  • The treatment phase: once the risks have been analyzed, we have the information we need to make a decision on the treatment plan. There are four main methods to treat a risk:
    • Acceptance: if the losses are considered acceptable as they are, then the risk is accepted without treatment.
    • Delegation / Transfer / Sharing: one can transfer all or part of the consequences of a threat to a third party, for example by taking out insurance, or entrusting a perimeter to a service provider.
    • Eradication / Treatment: the necessary actions and controls are put in place to completely eliminate the risk.
    • Reduction: the necessary actions and controls are put in place to partially reduce the risk to a level of impact deemed acceptable.

To summarize

Much of the time of cyber security professionals, regardless of their job or specialty, is spent anticipating events that are harmful to the company that employs them.

It is impossible to eliminate all risks, but it is possible to identify them well in order to implement effective action plans. This approach must be done in a cyclical manner in the form of continuous improvement.

logo cyber training

Start your cybersecurity training!

Launch your career in cybersecurity and train for the job that fits you. Our online platform allows you to train at your own pace for a quick and efficient increase in skills.

100% online

Theory & Practice

Customized by level

Start your cybersecurity training




100% online

Breathe new life into your career with our cybersecurity training courses