LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

In the cyber-security risk model, what's the difference between Threat, Vulnerability, Exposure, Weakness, and Asset — and how do they combine into "risk"?

Risk is the overlap of three circles — Threat, Weakness, Exposure — all aimed at an Asset. Remove any one circle and the risk goes to zero.

Term (DE / EN) Meaning Example
Bedrohung / Threat The attacker or hazard A new exploit against Windows 10
Schwachstelle / Weakness A flaw in code/config/process Windows 10 box that isn't patched
Exposition / Exposure How reachable the weakness is Windows 10 endpoints everywhere in the firm
Verletzlichkeit / Vulnerability Exposure + Weakness combined — the attackable surface "Patch-missing, internet-reachable host"
Schützenswertes Gut / Asset What you're trying to protect Customer data, production system

The key insight — what you can and can't control:

  • Threat: not controllable (you don't decide whether exploits exist).
  • Weakness + Exposure: controllable — these are where your security budget lives (patching, segmentation, hardening).

That's why classic guidance is to "reduce attack surface" — you can't make threats vanish, but you can shrink the part of the Venn diagram you own.

Tip: NIST's definition: "a vulnerability is a weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source."

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026