The intersection between assets (A), threats (T), and vulnerabilities (V) is risk. However, including risk along with the probability (P) of occurrence of the threats might result in more value added to the business:
These terms will help us understand the real risk to any given asset. The business will benefit only if these risks are assessed accurately. Understanding threats, vulnerabilities, and risks is the first step in threat modeling.
For a given application, if there are no vulnerabilities or there is a vulnerability with no threats, it is considered to be low-risk. We will discuss more about the risk model in a later section.