Skip to content
SecForge
Hero illustration for: Cybersecurity 101: the words that mean what.
LEVEL 1 CYBERSECURITY

Cybersecurity 101: the words that mean what.

Threat, vulnerability, exploit, risk — four words that get used interchangeably, and the one mental model that finally separates them.

7 min read SecForge Research

Walk into any security meeting and you will hear four words used as if they meant the same thing: threat, vulnerability, exploit, and risk. They do not. Getting them straight is the first thing that separates someone who can read a CVE from someone who can decide what to do about it.

The four words, with examples

The cleanest definitions, with the example we will use for the rest of this article — an employee laptop sitting in an airport lounge.

WordDefinitionLaptop example
ThreatSomeone or something that wants to cause harmA thief who steals laptops in lounges
VulnerabilityA weakness that could be used to cause harmDisk is not encrypted
ExploitThe specific way a vulnerability is usedBoot from USB and copy /home
RiskThe chance and impact of harm actually happeningLikely + sensitive data + bad press = high

Notice that a vulnerability is harmless on its own. An unencrypted disk in a vault that nobody can reach is a vulnerability without a threat. The risk is near zero. The same disk in an airport is a different story.

The CIA triad — what we are actually protecting

Every control you will ever read about exists to protect one of three properties. Memorise this; the rest of your career hangs off it.

  • Confidentiality — only the right people can read it. Lost laptop: confidentiality is the first thing to go.
  • Integrity — only the right people can change it, and you can detect when someone tries. Lost laptop: if it is returned, can you trust the binaries on it?
  • Availability — the right people can use it when they need to. Lost laptop: the employee cannot do their job until you replace it.
Mental model

A control is good when it raises the cost of attacking one of the three CIA properties more than it raises the cost of using the system normally. That is the whole game.

The risk equation — informal but useful

You will see a hundred variants of the risk equation. The one that survives contact with reality is the simplest:

Risk ≈ likelihood × impact

Likelihood is the chance the threat actually meets the vulnerability. Impact is what happens if it does. Both are usually guessed in three to five buckets ("low / medium / high / critical"), not in numbers. That is fine. The point of the equation is not to compute a number — it is to make you write down two separate guesses instead of one fuzzy feeling.

A worked example

Same laptop. The employee leaves it at a café for 90 seconds while paying. We score:

  1. Threats in this setting: opportunistic thief (high), targeted attacker (low for a marketing intern, high for an exec).
  2. Vulnerabilities: no full-disk encryption, screen unlocked, password manager unlocked, work email cached.
  3. Exploits: walk off with it; or 60 seconds at the keyboard to grab a session token.
  4. Impact: depending on role, anywhere from "annoying" to "company-ending".

The interesting move is the one most teams skip: write down which control reduces which leg of the risk. Full-disk encryption raises the cost of the walk-off exploit. A 60-second screen lock raises the cost of the at-keyboard exploit. They are not interchangeable.

What to take to your next meeting

  • Stop saying "this is a security risk". Say "the risk is X, because the threat of Y could exploit the vulnerability of Z".
  • For any new control someone proposes, ask: which CIA property does this protect, and from which threat?
  • If neither question has an answer, the control is decoration.

That is the whole foundation. The rest of this Learn series is just specific cases of these four words, applied to networks, to operating systems, to code, and eventually to the prompts you will hand an LLM to do this work at scale.