Asset – People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items.

An asset is what we’re trying to protect.

Threat Assessment

Can not be controlled: external threats, hacking, tsunami, ...
Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

Vulnerability Assessment

Can be controlled: code, software, ...
Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset.
Identified by conducting e.g. penetration tests.

Risk Assessment

Can be mitigated by lowering impact on the business: procedures, physical security e.g. missing alarm systems, ...
The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.

Privacy Impact Assessment