"A threat is posed to an information asset when an attacker can use an exploit on the vulnerability in the asset"
So, what are threat, vulnerability and exploit actually? Let's look at the definitions of these three terms and some explanations that will differentiate them.
Threat
A threat is anything that can possibly cause damages to an information asset.
Threats are possible to cause damages if there are vulnerabilities on the system. Vulnerabilities need to be fixed to stop the threats associated to the vulnerabilities.
Vulnerability
Microsoft has defined a security vulnerability as a flaw in the product. This flaw could permit an attacker to compromise the confidentiality, integrity and availability of the product.
"Security in Computing" has defined vulnerability as a weakness in the security system. These weaknesses can be in procedures, design or implementation of a system.
Exploit
An exploit is the attack on a computer system. Exploits take advantage of the vulnerabilities (weakness) of the computing system.
You may have heard or read about hackers creating programs (software codes) that could use vulnerabilities in other software, including operation systems. When there are known vulnerabilities like this, the owner of the software system will develop and provide a "patch" to fix the vulnerability. If a vulnerability is not fixed, an exploit can be used to attack the software, which in turn could cause damages to the systems running the software.
Example:
Imagine a water dam wall that has a crack on it. And let's say the crack is at the higher half of the wall. So long the water level is low, the wall will be holding the water. The rising water level is however is a threat as it could cause the wall to collapse and cause flood as well as other damages. Now, we know that there is a crack there. This crack is the vulnerability. Imagine an enemy (attacker) whom wants to deliberately collapse the wall using the crack. The methods that he will use to collapse the wall using the crack is the exploit.
