Explanation/Reference:
Explanation:
A vulnerability is defined as "the absence or weakness of a safeguard that could be exploited".
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.
Incorrect Answers:
A: A threat is any potential danger that is associated with the exploitation of a vulnerability.
B: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.
D: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26

A vulnerability is mostly a weakness, it could be a weakness in a piece of sotware, it
could be a weakness in your physical security, it could take many forms. It is a weakness that
could be exploited by a Threat. For example an open firewall port, a password that is never
changed, or a flammable carpet. A missing Control is also considered to be a Vulnerability.
The following answers are incorrect:
Risk:
It is the combination of a threat exploiting some vulnerability that could cause harm to some asset.
Management is concerned with many types of risk. Information Technology (IT) security risk
management addresses risks that arise from an organization's use of information technology.
Usually a threat agent will give rise to the threat which will attempt to take advantage of one of
your vulnerability.
Risk is a function of the likelihood that a threat scenario will materialize, its resulting impact
(consequences) and the existence/effectiveness of safeguards. If the evaluation of the risk meets
the risk deemed acceptable by management, nothing needs to be done. Situations where
evaluation of the risk exceeds the accepted risk (target risk) will necessitate a risk management
decision such as implementing a safeguard to bring the risk down to an acceptable level.
Threat:
Possibility that vulnerability may be exploited to cause harm to a system, environment, or
personnel. Any potential danger. The risk level associated with a threat is evaluated by looking at
the likelihood which is how often it could happen and the impact (which is how much exposure or
lost you would suffer) it would have on the asset. A low impact threat that repeats itself multiple
times would have to be addressed. A high impact threat that happen not very often would have to
be addressed as well.
Target of evaluation:
The term Target of evaluation is a term used under the common criteria evaluation scheme. It
defines the product being evaluated. It was only a detractor in this case and it is not directly
related to risk management.
Risk management info
Risk Management is an iterative process, which ensures that reasonable and cost-effective steps
are taken to protect the:
Confidentiality of information stored, processed, or transmitted electronically
Integrity of the information and related processes
Availability of the information, systems and services against accidental and deliberate threats
Value of the asset and the cost of its replacement if it is compromised
You can manage risk by:
Confirming the appropriateness of minimum standards
Supplementing the standards when necessary
Eliminating unnecessary expenditures and administrative barriers
Managing risk therefore, means defining:
What is at risk
Magnitude of the risk
Causal factors
What to do about the risk
The following reference(s) were/was used to create this question:
http://www.cse-cst.gc.ca/tutorials/english/section2/m2/index_e.htm
and
The official CEH courseware Version 6 Module 1

In addition to the capabilities in the correct answers, P3P does provide the site privacy practices to users in machine-readable format.