Recently a customer asked me where they should focus their security efforts, should they focus on vulnerabilities or threats? I responded by asking what's the difference between threats and risks? I don't think security practitioners do themselves any favours when it comes to communicating concepts like risk and it shows. If we truly believe that risk management is at the heart of information security we must be able to clearly delineate concepts and show how they relate to each other. The following diagram illustrates how I like to think about risk.