Resource Center  >  Blog

Vulnerabilities, Cyber Threats, Threat Actors and Risks

January 24, 2020
Nera Besic

There is a never-ending discussion about the terminology around Threat Modeling. In order to have control over data security issues that could potentially impact your business, it is crucial to understand the relationship between four key components: vulnerabilities, cyber threats, threat actors and risks. 

This post explains the key differences between vulnerabilities; cyber threats; threat actors and risks within the context of IT security.


Vulnerabilities refer to weaknesses in a system. They make threat outcomes achievable and could sometimes be even more dangerous. A system can be exploited through a single vulnerability, for example, a single SQL Injection attack could give an attacker full control over sensitive data. 
An attacker could also link various exploits together, taking advantage of more vulnerabilities to gain even more control. Examples of common vulnerabilities are SQL Injections, XML External Entity, Cross-site Scripting, LFI, server misconfigurations and more.

Cyber Threats

Cyber threats, or simply just threats, refer to cybersecurity occurrences or events that potentially cause harm by way of their outcome. Threats can become more dangerous because of a vulnerability in a system.

Common threats are:

  • – Phishing attacks that result in attackers installing a trojan horse and stealing sensitive information from your applications.
  • – An administrator accidentally leaving unprotected data on a production server causing a data breach.
  • – DDoS attacks attempting to make your website unavailable by flooding it with unwanted traffic from multiple computers.

And many others…

A Cyber Threat is something negative, such as an accident or an attack that presents a danger to you and you want to be sure to avoid it.

Threat Actors

Cybersecurity threats are accomplished by threat actors. They’re simply the entity, person, actor, or organization who initiates a threat. Examples of common threat actors include cybercriminals (usually financially motivated), politically motivated activists (hacktivists), competitors, disgruntled insiders, careless employees, and others…

Cyber threats are more dangerous when threat actors leverage several vulnerabilities to gain full access to a system, often including the operating system.


Risks are most commonly confused with threats, but they’re different in a significant way. A cybersecurity risk in everyday language is a chance of something bad happening combined with how bad it would be if it happens. Essentially, this refers to a combination of the probability of a threat and the impact/loss of that threat being exploited will have. The equation is:

risk = threat probability x impact

Therefore, a risk is a scenario that needs to be avoided combined with the likely impacts that result from that scenario. Here is a hypothetical example of how risks can be constructed:

Vulnerability – SQL Injection
Threat – Sensitive data theft enabled as a  result of the SQL Injection
Threat actors – Financially driven cybercriminals that perform the SQL Injection
Impact – Theft of sensitive data causing financial and reputation loss
Threat probability – The probability of this attack is high, given that the website is vulnerable to an SQL Injection

Accordingly, in this scenario, the SQL Injection should be treated as a high-risk vulnerability.

Related Articles:

Related topics

The practice of running DAST in production environments presents multiple risks and challenges that can actually hinder your security goals. Here’s why you should think twice before running DAST scans on a live production system.

See more

What Are Vulnerability Assessment Tools?  Vulnerability assessment tools are specialized software designed to identify, classify, and prioritize vulnerabilities in computer

See more

Secure coding refers to the practice of writing software code in a manner that minimizes vulnerabilities and guards against potential

See more

Test Your Web App for 10,000+ Attacks

  • Find & fix vulnerabilities fast
  • Zero false positives
  • Developer friendly
See Our Dynamic Application Security Testing (DAST) in Action
and see how easy AppSec can be

Test Your Web App for 10,000+ Attacks

Integrate vulnerability testing into your DevOps pipeline. Find & fix vulnerabilities fast with zero false positives.

  • Find & fix vulnerabilities fast
  • Scans all API formats
  • Zero false positives
  • Scan every build
  • Scan from CLI
  • Security as code
  • Developer friendly
See Next-Gen Dynamic Application Security Testing (DAST) in Action

and see how easy AppSec can be