What’s the difference between Threat and Risk?

What is Risk

According to ISO 31000, “risk” is the effect of uncertainty on objectives. “Threat” is negative risk or risk with negative effect. In the context of information security, the NIST Generic Risk Model can be interpreted by ISO 31000.


A threat event describes that a “threat source” may exploit the “vulnerability” of the asset itself or security controls. A threat event is the uncertainty or likelihood of a threat or risk; if the threat event happens, it will cause loss/impact (the negative effect of the threat or risk).


In summary, a threat is a negative risk. It is a function of uncertainty (threat event) and effect (loss/impact).

  • Risk (or Threat) = (the likelihood of) Vulnerability (exploited by threat source) X (loss/impact of) Threat
    So, The formula above is highly simplified without consistent definitions and becomes a common but misleading formula: Risk = Vulnerability X Threat
  • The symbol = should be interpreted as “a function of“, while X as “and“.

The threat event can be measured quantitatively (80%) or qualitatively (H/M/L), so does its loss/impact.
It’s common for people to semi-quantitatively replace H/M/L with numbers or scores, e.g. 3/2/1.


The threat or risk level can be measured in such a way: 3 X 3 = 9.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.