A quick reminder : Don't stress on both threat and vulnerability
Threat and vulnerability are
two tightly coupled aspects. There is no point to focus on a
vulnerability if the threat doesn’t exist, similarly you can’t stress on
a threat, if your asset is not concerned with the vulnerability (or
The question one should ask is “What are the risks to my asset ?”, and to answer this we need to run a whole Business Impact Analysis (BIA), which involves qualitative and quantitative risk assessment.
As a general equation: Risk = Vulnerability x Threat
On the basis of the above equation, we can conclude that if an asset has a Vulnerability and that
Vulnerability is exposed to a known Threat, then the asset is at Risk.
Now that the two elements exist you need to tackle just one of the two not both,
to eliminate the risk.