Difference between threat and attack

In order to differentiate between an attack and threat, let us first define the two terms.

Threat

A threat is any indication, circumstance, or event with the potential to cause harm to an ICT(Information and Communications technology) infrastructure and the assets that depend on this infrastructure.[1]

Attack

An attack is a deliberate exploitation of computer systems, technology-dependent enterprises and networks. An attacker uses malicious code to alter computer, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrime, such as information and identity theft.[2]

We can mainly differentiate a threat and an attack in three ways:
-A threat can be intentional or unintentional whereas an attack is always intentional. An example of a threat could be an employee who may be incompetent and accidentally leaks out sensitive information, but on the other hand an employee who knows what he is doing and who purposefully leaks out the sensitive information would be considered an attacker performing an attack which in this case is the leaking of sensitive information.
-Threat is basically a circumstance that has potential to cause harm whereas an attack is intended to cause harm. We can also say that a threat is a passive entity that is defined by it’s potential vector whereas an attack is always intentional.
-A threat to the information system doesn’t necessarily mean that the information was altered or damaged but attack on the information system means there might be a chance to alter, damage, or obtain information when attack was successful. To explain this better we can revisit the example of the incompetent and attacker employee. Although the incompetent employee is a threat, until he leaks the sensitive information there was no harm done to the information, whereas the other employee was not an attacker or had done an attack, until he purposefully leaked the information. When he leaked the information he was considered an attacker who had done an attack, and damaged the information.[3]

The two entities can be defined and differentiated by intent to cause harm. A threat doesn’t intend to cause harm, it accidentally may or may not cause harm but an attack is always intended to cause harm.

References:

[1] J Camenisch, Valentin Kisimov, Maria Duovitskaya. Open Research Problems in Network Security.
[2] retrieved from https://www.techopedia.com/definition/24748/cyberattack
[3] retrieved from http://rupeshreddy.com/2011/08/23/difference-between-a-threat-and-an-attack/