That’s an attack-biased set of definitions, typical of the anti-hacker mindset. What about security incidents caused passively, for example by accidents, errors and omissions? The sewage flood that shorts out the under-floor wiring in the computer suite? The backhoe that takes out all the fibre-optics cables entering the building? The dozy technician who casually pulls the wrong plug or enters the shutdown command on the wrong console by mistake?
I prefer the definitions from ISO/IEC 27000 (draft awaiting publication):
Attack: attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset [term also defined]
Threat: a potential cause of an unwanted incident, which may result in harm to a system or organization.
Vulnerability: weakness of an asset [defined] or control [defined] that can be exploited by a threat.
Peter H. Gregory 
That’s an attack-biased set of definitions, typical of the anti-hacker mindset. What about security incidents caused passively, for example by accidents, errors and omissions? The sewage flood that shorts out the under-floor wiring in the computer suite? The backhoe that takes out all the fibre-optics cables entering the building? The dozy technician who casually pulls the wrong plug or enters the shutdown command on the wrong console by mistake?
I prefer the definitions from ISO/IEC 27000 (draft awaiting publication):
Attack: attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset [term also defined]
Threat: a potential cause of an unwanted incident, which may result in harm to a system or organization.
Vulnerability: weakness of an asset [defined] or control [defined] that can be exploited by a threat.
Kind regards,
Gary
Gary those are great definitions. Thanks for sharing.
Peter
how many differences are there between a threat and a threat agent?