Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. -NIST.gov