Anything that is capable of acting against an asset in a manner that can result in harm. Threats are aimed at exploiting enterprise vulnerabilities.

A threat is anything capable of acting against an asset in a way that can cause harm, and threats are specifically aimed at exploiting vulnerabilities in the enterprise. This framing is about potential harm caused by an adversary, event, or circumstance that could take advantage of a weakness. In risk terms, risk arises from the combination of a threat exploiting a vulnerability and the resulting impact, taking into account how likely that event is. Policies and standards, by contrast, are governance elements: a policy expresses management intent, and a standard provides mandatory requirements to enforce that intent. They don’t themselves represent har m or act as attackers, but they help reduce risk by guiding security practice. For example, a cyber attacker or malware is a threat; a natural disaster is a threat too; risk would consider how likely such threats are to exploit vulnerabilities and what the potential impact would be.