How is "risk" defined in information security, and what two factors determine it?
Risk is likelihood × impact — how probable a threat is (Eintrittswahrscheinlichkeit, E) combined with how much damage it would cause (Schadensausmass, S).
* Risk = E × S — likelihood (Eintrittswahrscheinlichkeit) up the side, impact (Schadensausmass) along the bottom; green cells are low risk (accept), red cells are critical (act now). *
A threat is not yet a risk. A threat becomes a risk only when you weigh two independent dimensions:
| Factor | German | The question it answers |
|---|---|---|
| Likelihood | Eintrittswahrscheinlichkeit (E) | How probable is it that this threat actually materialises? |
| Impact | Schadensausmass (S) | If it does happen, how bad is the damage? |
Risk ≈ E × S. Because the two are multiplied, a very likely but harmless event and a catastrophic but almost-impossible event can both be low risk — each scores low on one axis. Only when likelihood and impact are high do you get a top-priority risk.
Why it matters: This product is the engine of the whole risk-management process — you cannot decide what to treat, transfer, tolerate, or terminate until each risk is placed on the E×S grid (a risk matrix). It also explains residual risk: controls push E or S down, but rarely to zero, so some risk always remains and must be consciously accepted.
Tip: Picture a risk matrix — likelihood on one axis, impact on the other. Top-right (high–high) demands action; bottom-left (low–low) can usually be accepted.
Go deeper:
Risk matrix (Wikipedia EN) — the likelihood×impact grid and how organisations band it into low/medium/high/critical.
IT risk (Wikipedia EN) — how the generic risk definition is applied to information and IT assets.