A paper in the Journal of Physical Security defined threats and vulnerabilities as follows:
Threat: Who might attack against what assets, using what resources, with what goal in mind, when/where/why, and with what probability. There might also be included some general aspect of the nature of the attack (e.g., car bombing, theft of equipment, etc.), but not details about the attack or the security measures that must be defeated and the Vulnerabilities to be exploited.
Vulnerability: a specific weakness in security (or a lack of security measures) that typically could be exploited by multiple adversaries having a range of motivations and interest in a lot of different assets.
Being Vulnerable to the Threat of Confusing Threats with Vulnerabilities
