In information security, what best defines a threat?

A threat is a condition or action that could cause harm to information assets. This is about potential harm, not something that has already occurred. Saying a threat is a condition or activity with the potential to cause loss, modification, exposure, or denial of service captures that idea clearly: it’s about what could happen, given the right circumstances. An actual incident, by contrast, is what happens when a threat is realized and harm occurs. A vulnerability is a weakness that could be exploited, but on its own doesn’t define a threat unless there’s potential impact from exploitation. Similarly, a security control that’s too expensive describes a cost concern, not a threat. In practice, risk comes from threats exploiting vulnerabilities to produce impact, so understanding threats as potential harms is essential to assessing and managing risk.