I am nearing the end of the autumn quarter, teaching enterprise risk management to University of Washington Informatics majors. One question that recurs is the subtle difference between a risk and a threat. The Oxford English Dictionary defines a threat as “a person or thing likely to cause damage or danger” and a risk as “a situation involving exposure to danger.” We spend a fair amount of time in discussion of how an organization’s control structure can offset or mitigate both threats and risks.