Cybersecurity 101: the words that mean what.
Threat, vulnerability, exploit, risk — four words that get used interchangeably, and the one mental model that finally separates them.
Walk into any security meeting and you will hear four words used as if they meant the same thing: threat, vulnerability, exploit, and risk. They do not. Getting them straight is the first thing that separates someone who can read a CVE from someone who can decide what to do about it.
The four words, with examples
The cleanest definitions, with the example we will use for the rest of this article — an employee laptop sitting in an airport lounge.
| Word | Definition | Laptop example |
|---|---|---|
| Threat | Someone or something that wants to cause harm | A thief who steals laptops in lounges |
| Vulnerability | A weakness that could be used to cause harm | Disk is not encrypted |
| Exploit | The specific way a vulnerability is used | Boot from USB and copy /home |
| Risk | The chance and impact of harm actually happening | Likely + sensitive data + bad press = high |
Notice that a vulnerability is harmless on its own. An unencrypted disk in a vault that nobody can reach is a vulnerability without a threat. The risk is near zero. The same disk in an airport is a different story.
The CIA triad — what we are actually protecting
Every control you will ever read about exists to protect one of three properties. Memorise this; the rest of your career hangs off it.
- Confidentiality — only the right people can read it. Lost laptop: confidentiality is the first thing to go.
- Integrity — only the right people can change it, and you can detect when someone tries. Lost laptop: if it is returned, can you trust the binaries on it?
- Availability — the right people can use it when they need to. Lost laptop: the employee cannot do their job until you replace it.
A control is good when it raises the cost of attacking one of the three CIA properties more than it raises the cost of using the system normally. That is the whole game.
The risk equation — informal but useful
You will see a hundred variants of the risk equation. The one that survives contact with reality is the simplest:
Risk ≈ likelihood × impact
Likelihood is the chance the threat actually meets the vulnerability. Impact is what happens if it does. Both are usually guessed in three to five buckets ("low / medium / high / critical"), not in numbers. That is fine. The point of the equation is not to compute a number — it is to make you write down two separate guesses instead of one fuzzy feeling.
A worked example
Same laptop. The employee leaves it at a café for 90 seconds while paying. We score:
- Threats in this setting: opportunistic thief (high), targeted attacker (low for a marketing intern, high for an exec).
- Vulnerabilities: no full-disk encryption, screen unlocked, password manager unlocked, work email cached.
- Exploits: walk off with it; or 60 seconds at the keyboard to grab a session token.
- Impact: depending on role, anywhere from "annoying" to "company-ending".
The interesting move is the one most teams skip: write down which control reduces which leg of the risk. Full-disk encryption raises the cost of the walk-off exploit. A 60-second screen lock raises the cost of the at-keyboard exploit. They are not interchangeable.
What to take to your next meeting
- Stop saying "this is a security risk". Say "the risk is X, because the threat of Y could exploit the vulnerability of Z".
- For any new control someone proposes, ask: which CIA property does this protect, and from which threat?
- If neither question has an answer, the control is decoration.
That is the whole foundation. The rest of this Learn series is just specific cases of these four words, applied to networks, to operating systems, to code, and eventually to the prompts you will hand an LLM to do this work at scale.