We can use qualitative or quantitative methods for evaluating risk. Simply put, risk is someone's exposure to loss. It is different from vulnerability, because it depends on the probability of a particular event, attack, or condition and has a strong link to the motivations of an attacker. It also depends on how large the impact is of a single, atomic compromise or a whole campaign of attack/compromise events. Vulnerability does not directly invoke impact or probability, but is the innate weakness itself. It may be easy or hard to exploit, or result in a small or large loss when exploited.

For example, a desktop operating system may have a serious vulnerability in its process isolation logic allowing an untrusted process to access the ...