In IB Computer Science, students are often asked to analyse security scenarios and identify what could go wrong and why it could go wrong. This requires a clear understanding of the difference between cybersecurity threats and vulnerabilities. Although the terms are related, they refer to different parts of a security problem.
IB examiners expect students to clearly distinguish between potential danger and system weakness.
What Is a Cybersecurity Threat?
A cybersecurity threat is a potential cause of harm to a system.
Threats describe:
- Who or what could attack a system
- The type of damage that could occur
Examples of threats include:
- Hackers
- Malware
- Phishing attacks
- Denial of service attacks
In IB terms, a threat represents intent or capability to cause harm, not the weakness itself.
What Is a Vulnerability?
A vulnerability is a weakness in a system that can be exploited by a threat.
Vulnerabilities may exist in:
- Software
- Hardware
- Network configuration
- User behaviour
Examples include:
- Weak passwords
- Outdated software
- Unpatched systems
- Misconfigured access controls
In IB Computer Science, vulnerabilities explain why a threat can succeed.
The Relationship Between Threats and Vulnerabilities
A key IB concept is that:
- Threats exploit vulnerabilities
A threat alone does not cause harm unless:
- A vulnerability exists
Similarly:
- A vulnerability may exist without being exploited
Damage occurs only when both are present.
Example Scenario
Consider an online school system:
- Threat: A hacker attempting to access student data
- Vulnerability: Weak password policies
The hacker can succeed because the vulnerability exists.
IB exam answers should always link the two together.
Why This Distinction Matters
Understanding the difference allows organisations to:
- Identify risks accurately
- Apply appropriate security measures
- Prioritise fixes
For example:
- Removing vulnerabilities reduces risk
- Threats cannot always be eliminated
IB students should recognise that security focuses heavily on reducing vulnerabilities.
Threats vs Vulnerabilities vs Controls
In security analysis:
- Threats describe potential attacks
- Vulnerabilities describe weaknesses
- Controls describe protections
Controls include:
- Firewalls
- Encryption
- Access control
- User training
IB examiners reward students who can place each concept in the correct role.
Common Types of Vulnerabilities
Students should be familiar with:
- Weak authentication
- Poor access control
- Software bugs
- Human error
These are often easier to fix than eliminating threats.
Common Student Mistakes
Students often:
- Use threats and vulnerabilities interchangeably
- Describe attacks as vulnerabilities
- Ignore the link between them
- Give lists without explanation
Clear cause-and-effect explanations earn higher marks.
How This Appears in IB Exams
IB questions may ask students to:
- Identify threats and vulnerabilities in a scenario
- Explain how a threat exploits a vulnerability
- Suggest appropriate security controls
- Evaluate system risk
Correct classification is essential.
Final Thoughts
Cybersecurity threats represent potential sources of harm, while vulnerabilities are weaknesses that allow those threats to succeed. Security failures occur when threats exploit vulnerabilities.
Understanding this distinction allows IB Computer Science students to analyse security scenarios clearly and logically — exactly what examiners expect.
