LOGBOOK

HELP

Quiz Entry - updated: 2026.05.28

How is risk defined and quantified in information security?

Risk = likelihood × impact — a future, negative deviation from the desired state, weighted by how probable it is.

Formally, a risk (in the narrow sense = a Gefahr) is a possible future event, rated by its probability and its impact, that would harm the organisation.

$$\text{Risk} = \text{Probability} \times \text{Impact (Schadensausmass)}$$

Because true probabilities are extremely hard to compute, practitioners substitute an estimated frequency (how often per period):

$$\text{Risk} = \text{Frequency of occurrence} \times \text{Impact}$$

Why frequency instead of probability: you rarely know the exact 0–1 probability of a breach, but you can estimate "about twice a year" from incident history and expert judgement. Frequency is measurable; abstract probability usually isn't.

Tip: This is the foundation of the risk matrix — frequency on one axis, impact on the other; the product (top-right corner) is where you focus mitigation.

From Quiz: ISF / Foundations, Key Terms & Ransomware | Updated: May 28, 2026