The terms threat and risk are often used in the wrong manner or interchangeably, both of which can be misleading, especially within the intelligence and security industries.
This is the simplest explanation I have received:
‘The threat is rain, so the risk is getting wet, if you want to do something about it, get an umbrella.’
This nicely includes threat, risk and risk management.
My understanding is that threat is anything that can exploit vulnerability, whether there is a deliberate thought process behind it or an accident waiting to happen. Risk is the potential loss, destruction or damage to an asset that would occur if a threat exploited vulnerability.
When dealing with terrorists for example we need to establish two factors in order to calculate the threat they may pose; intent and capability.
INTENT X CAPABILITY = THREAT
A terrorist would need both the will to carry out an attack and the hardware, knowledge, logistics and so on in order to pose a threat.
Therefore a terrorist with an overwhelming desire to inflict terror but perhaps a loner with no access to information or weaponry is a low threat.