How is risk defined and quantified in information security?
Risk = likelihood × impact — a future, negative deviation from the desired state, weighted by how probable it is.
Formally, a risk (in the narrow sense = a Gefahr) is a possible future event, rated by its probability and its impact, that would harm the organisation.
$$\text{Risk} = \text{Probability} \times \text{Impact (Schadensausmass)}$$
Because true probabilities are extremely hard to compute, practitioners substitute an estimated frequency (how often per period):
$$\text{Risk} = \text{Frequency of occurrence} \times \text{Impact}$$
Why frequency instead of probability: you rarely know the exact 0–1 probability of a breach, but you can estimate "about twice a year" from incident history and expert judgement. Frequency is measurable; abstract probability usually isn't.
Tip: This is the foundation of the risk matrix — frequency on one axis, impact on the other; the product (top-right corner) is where you focus mitigation.