This blog first appeared on Daniel Miessler blog. There is a never-ending debate about the language around threat modeling, with most presentations muddling and conflating these terms in unclear ways. Threats are negative events that can lead to undesired outcomes, such as damage to or loss of assets, and can be caused by vulnerabilities in systems. Common threats include data breaches, natural disasters, and administrative errors. Threat actors are the individuals or entities initiating the scenario, often humans, but not always, as natural elements like floods and earthquakes can also cause significant damage. Vulnerabilities are weaknesses in the system that make threats possible, while risks are the combination of probability and impact of a negative event occurring, essentially a chance of something bad happening combined with its severity. Understanding the difference between these terms is crucial for effective threat modeling and risk management.