What is the difference between a threat, a vulnerability, and a risk?

A threat is any potential event or action that could exploit a vulnerability and cause harm, such as a hacker, natural disaster, or malware. A vulnerability is a weakness in a system, process, or control that a threat could exploit, such as unpatched software or weak passwords. Risk is the likelihood that a threat will exploit a vulnerability multiplied by the impact of that exploitation. Risk equals threat times vulnerability times impact.