Security basics: definitions of threat, attack, and vulnerability

Often the terms threat, attack, and vulnerability are interchanged and misused. Each is defined here.

Definition of threat: the expressed potential for the occurrence of a harmful event such as an attack.

Definition of attack: an action taken against a target with the intention of doing harm.

Definition of vulnerability: a weakness that makes targets susceptible to an attack.

Excerpt from CISSP Guide to Security Essentials, chapter 10

3 thoughts on “Security basics: definitions of threat, attack, and vulnerability

  1. Gary Hinson

    That’s an attack-biased set of definitions, typical of the anti-hacker mindset. What about security incidents caused passively, for example by accidents, errors and omissions? The sewage flood that shorts out the under-floor wiring in the computer suite? The backhoe that takes out all the fibre-optics cables entering the building? The dozy technician who casually pulls the wrong plug or enters the shutdown command on the wrong console by mistake?

    I prefer the definitions from ISO/IEC 27000 (draft awaiting publication):

    Attack: attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset [term also defined]

    Threat: a potential cause of an unwanted incident, which may result in harm to a system or organization.

    Vulnerability: weakness of an asset [defined] or control [defined] that can be exploited by a threat.

    Kind regards,


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.