Which statement best defines a vulnerability as used in the material?

A vulnerability is a weakness in a system, process, or control that could be exploited by a threat to cause harm or unauthorized access. This emphasizes potential risk: it’s about what could go wrong, not something that has already been fixed. A patch, in contrast, is a remedy applied to fix a vulnerability and reduce the risk. A user account is an identity used to access systems, not a weakness itself, and a backup file is a recovery copy, not a security flaw. So describing vulnerability as a characteristic of the system that could allow the threat to happen accurately captures the idea that vulnerabilities are conditions that enable exploitation.