Identification should include differentiating between a threat and a vulnerability, as well as