Defining Information Security Risk

Years ago I wrote a definition of Information Security Risk that still seems to work well for me. Here it is:

Information Security Risk is a function of (a) the likelihood of a specific threat-source exploiting a specific vulnerability in a specific information system and (b) the resulting impact of that event on confidentiality, integrity, and availability.

Do you have a different definition of Information Security Risk? Please add it as a comment!