Those are academic terms, or possibly professional cybersecurity lingo. I’m a software developer, but have only done a few projects in cybersecurity, and I don’t follow the academic or industry terminology very closely. However, I would say: Vulnerability – any potential way in which a system could be used in a way its owners don’t want, and would prefer not to be possible. It includes ways an unauthorized person or program could take more control of the system than the owner wants, to access or alter the data or programs, cause damage, etc. It includes physical and social aspects, electronic and programming aspects, etc. Consequence – Any undesired outcome that actually happens from a Vulnerability. i.e. The system crashes because someone used it in a way the owner wishes weren’t possible. Or someone accessed and/or modified data the owner intended to be inaccessible. Or a program infected the system with viruses and sent a million spam emails and launched a DOS attack. Or someone bribed or seduced an admin and stole some passwords. Or someone broke into the server room and stole the hard drive. Threat – I don’t know for sure what they mean, but probably people, organizations, or software that may tend to actually take action that would use a Vulnerability to cause a Consequence. Could be a hacker or spy or burglar. Could be a virus or malicious or badly-designed software such as Microsoft Update, or a DDOS attack. Could be ignorant users who don’t know what they’re doing.