In terms of information systems security, a risk is defined as which of the following combinations? a) Attack plus vulnerability b) Threat plus attack c) Threat plus vulnerability d) Threat plus breach Solution c. Vulnerability is a weakness in security policy, procedure, personnel, management, administration, hardware, software, or facilities affecting security that may allow harm to an information system..