Quiz Entry - updated: 2026.07.14
In the cyber-security risk model, what's the difference between Threat, Vulnerability, Exposure, Weakness, and Asset — and how do they combine into "risk"?
Risk is the overlap of three circles — Threat, Weakness, Exposure — all aimed at an Asset. Remove any one circle and the risk goes to zero.
| Term (DE / EN) | Meaning | Example |
|---|---|---|
| Bedrohung / Threat | The attacker or hazard | A new exploit against Windows 10 |
| Schwachstelle / Weakness | A flaw in code/config/process | Windows 10 box that isn't patched |
| Exposition / Exposure | How reachable the weakness is | Windows 10 endpoints everywhere in the firm |
| Verletzlichkeit / Vulnerability | Exposure + Weakness combined — the attackable surface | "Patch-missing, internet-reachable host" |
| Schützenswertes Gut / Asset | What you're trying to protect | Customer data, production system |
The key insight — what you can and can't control:
- Threat: not controllable (you don't decide whether exploits exist).
- Weakness + Exposure: controllable — these are where your security budget lives (patching, segmentation, hardening).
That's why classic guidance is to "reduce attack surface" — you can't make threats vanish, but you can shrink the part of the Venn diagram you own.
Tip: NIST's definition: "a vulnerability is a weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source."