Leonidas is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company's web application. In this scenario, what is the threat?

Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the malicious hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this scenario the missing patch is the vulnerability, and the malicious hacker is the threat. If the hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.