1. Threat (what could cause harm)
A threat is anything that has the potential to do damage, even if the damage has not happened yet. In this case, a thief who walks around looking for houses to break into is the threat. The thief might or might not attack, but the possibility exists, and that possibility itself is the threat.
2. Vulnerability (weak point/weakness)
A vulnerability is a weakness that makes it easier for a threat to succeed.
Here, the front door is left unlocked, meaning there is no barrier to stop someone from entering. The vulnerability does not cause harm by itself, but it makes it much easier for the threat to act.
3. Risk (chance of something bad happening)
Risk is the chance that the threat will use the vulnerability to cause harm. In this situation, the risk is that the thief may enter the house because the door is unlocked. Risk is about probability, not certainty. Maybe the thief will pass by and do nothing, or maybe he will enter.
4. Impact (what happens if the risk becomes real)
Impact is the consequence or result if the risk actually occurs. If the thief goes inside the house, the impact could be:
- belongings are stolen
- money is taken
- personal documents go missing
- the family feels unsafe afterward
So, impact describes what damage is done when the risk turns into reality.
5. Severity (how serious the impact is)
Severity tells how big or serious the damage is. Not all impacts have the same severity. For example:
- If only small, cheap items are stolen, it’s going to be low severity.
- If expensive electronics, jewelry, or passports are stolen, it’s going to be high severity.
Severity helps us understand how bad the situation is and how urgently it must be fixed. It is usually assessed using the CVSS (Common Vulnerability Scoring System).
Correlation between Threat, Vulnerability, Risk, Impact & Severity
Assesing Case Example with The CVSS
Case Example:
A company employee receives a phishing email that looks very convincing and appears to come from the IT Support department, claiming that there is an urgent security update that requires immediate action. The message tells the employee to click a link and log in to “verify their account,” and because the email uses the company logo and professional wording, the employee believes it is real and is encouraged to enter their password.
- Threat: The phishing email and attacker trying to steal login credentials.
- Vulnerability: The employee might not recognize phishing and may click the link.
- Risk: The attacker may gain access to company systems if the employee enters their password.
- Impact: Company data could be stolen, modified, or leaked.
- Severity: High, because losing access to company data can cause major financial and reputational damage.
