Defining Information Security Risk

Years ago I wrote a definition of Information Security Risk that still seems to work well for me. Here it is:

Information Security Risk is a function of (a) the likelihood of a specific threat-source exploiting a specific vulnerability in a specific information system and (b) the resulting impact of that event on confidentiality, integrity, and availability.

Do you have a different definition of Information Security Risk? Please add it as a comment!

Published by

Clint Laskowski

Hello! My name is Clint Laskowski, and I'm an Information Security Professional who helps clients identify, assess, treat, and monitor risks to information and information systems. I'm also very interested in web development and the Wisconsin startup scene.