LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How is "risk" defined in information security, and what two factors determine it?

Risk is likelihood × impact — how probable a threat is (Eintrittswahrscheinlichkeit, E) combined with how much damage it would cause (Schadensausmass, S).

Risk matrix — likelihood (E) against impact (S), each cell coloured by the E×S product.

* Risk = E × S — likelihood (Eintrittswahrscheinlichkeit) up the side, impact (Schadensausmass) along the bottom; green cells are low risk (accept), red cells are critical (act now). *

A threat is not yet a risk. A threat becomes a risk only when you weigh two independent dimensions:

Factor German The question it answers
Likelihood Eintrittswahrscheinlichkeit (E) How probable is it that this threat actually materialises?
Impact Schadensausmass (S) If it does happen, how bad is the damage?

Risk ≈ E × S. Because the two are multiplied, a very likely but harmless event and a catastrophic but almost-impossible event can both be low risk — each scores low on one axis. Only when likelihood and impact are high do you get a top-priority risk.

Why it matters: This product is the engine of the whole risk-management process — you cannot decide what to treat, transfer, tolerate, or terminate until each risk is placed on the E×S grid (a risk matrix). It also explains residual risk: controls push E or S down, but rarely to zero, so some risk always remains and must be consciously accepted.

Tip: Picture a risk matrix — likelihood on one axis, impact on the other. Top-right (high–high) demands action; bottom-left (low–low) can usually be accepted.

Go deeper:

From Quiz: ISM / ISM Intro & Repetition | Updated: Jul 14, 2026