How would you explain the difference between a vulnerability, a threat, and a risk in the context of enterprise security?