identified. Several documents list many of the dangers to
            review, including ISO/IEC27005 and NIST SP800-30 Rev1.

            Threats are usually factors beyond the control of the
            organization. No policy will ever remove the threat of insider
            attack, nor will protection eliminate the risk of a tornado.


            Vulnerabilities

            A vulnerability is a weakness in a system or control that could
            be exploited by a threat. This may be an unpatched system, an
            untrained user, aging equipment, a building in a flood plain, or a
            control that is not being monitored and operated correctly. The
            risk assessor must consider the vulnerabilities since an asset
            with more significant weaknesses will be more likely to be
            exploited or suffer more damage than a properly defended asset.

            Whereas threats are usually outside of the control of the
            organization, most vulnerabilities are within the power of the
            organization. It is through the recognition of weaknesses that an
            organization can select appropriate solutions and risk mitigation
            solutions.


            Likelihood

            The likelihood is the probability that an adverse event will occur
            or that a threat will exploit a vulnerability. The possibility is a
            complicated calculation or estimation to make since it is very
            subjective and unpredictable. Probability plays on the law of
            averages - how often have things happened in the past? But that
            may not be an accurate predictor for the future. A future event
            may never arise or may happen more often than it has in the