Threats and vulnerabilities conjugate with each other to create risks. That means, risk is the intersection of a threat and a vulnerability. Moreover, a vulnerability is a weakness that exists within a system whereas a threat is a danger capable of intentionally or accidentally compromising security of organizational asset.
Threats are entities or events with the potential of adversely affecting an information system through unauthorized access, destruction, disclosure, modification of data, or denial of services. In other words, threats have the potential to disrupt confidentiality, integrity and availability (CIA) of information systems if materialized. Whereas vulnerabilities are gaps in information systems that can be exploited by threat vectors to pose risks to organizations. Furthermore, threats and vulnerabilities must coexist to form risks to assets.
Risk is the probability that a particular security threat will exploit a particular vulnerability resulting in loss or harm to an asset. In addition, risk is unpleasant situation that may inhibit organizations from achieving their business objectives. Risk is sometimes described as the combination of the probability of an event (likelihood) and its consequences (impact) on an asset