Cybersecurity plans are based on levels of risk and therefore consider the threats and vulnerabilities involved. The threats are what could happen. The vulnerabilities are where protection is absent or weak. Once a risk is identified, the level of risk needs to be analyzed. This enables an understanding of the probability and business impact of a cybersecurity risk should it become a reality.