A vulnerability is a weakness in the system security that could be accidentally triggered or intentionally exploited and result in a security breach. A threat does not present a risk when there is no vulnerability that can be exercised.
- High vulnerability is a very substantial weakness which exists in the systems and where the business impact potential is severe. The control must be improved.
- Medium vulnerability is a weakness and where the business impact potential is significant. The control should be improved.
- Low vulnerability is the situation where the system is well-build and operated correctly. No additional controls are needed to reduce the vulnerability.