1. Scanner reports a vulnerability that does not actually exist on the system
2. A real vulnerability exists on the system but does not appear in the scan report
3. Percentage of asset value or service capacity potentially lost if a vulnerability is exploited
4. The level of risk an organization accepts during the window between vulnerability discovery and completed remediation