# Risks vs Threats vs Vulnerabilities
[Source](https://securecontrolsframework.com/risk-management-model/) 

Risks, threats and vulnerabilities are commonly misunderstood. 

Fundamentally, vulnerability and risk management practices exist to achieve a minimum level of protection for an organization, which equates to a reduction in the total risk due to the protections offered by implemented controls. This can be conceptualized as a "risk management ecosystem" as it pertains to an organization's overall cybersecurity & data protection efforts. These ecosystem components have unique meanings that need to be understood to reasonably protect people, processes, technology and data, as shown below:
![](2023-scf-risk-management-ecosystem%201.jpg)