ELI5: What is Risk = Threat x Vulnerability x Impact?
A bully (threat) can only take your lunch money if your backpack is unzipped (vulnerability), and it only matters if you had money in there (impact). Remove any one of these three and the risk goes away.
Definition
The risk formula — Risk = Threat × Vulnerability × Impact — expresses that risk requires all three components to exist. A threat is a potential cause of harm (e.g., a ransomware actor). A vulnerability is a weakness that the threat can exploit (e.g., unpatched systems). Impact is the consequence if the threat exploits the vulnerability (e.g., data encryption and business disruption). Eliminating any one of the three factors eliminates the risk: if there is no vulnerability, the threat cannot materialize; if there is no threat, the vulnerability is irrelevant.
Key Details
- Threat: external/internal, intentional/accidental actors or events (hackers, natural disasters, insider errors)
- Vulnerability: technical (unpatched software, misconfiguration) or non-technical (lack of training, weak processes)
- Impact: the severity of harm if the risk materializes (financial, operational, reputational, regulatory)
- If any factor = 0, the risk = 0: patching a vulnerability eliminates the risk even if the threat persists
- Exam tip: this formula is foundational; understanding that risk requires all three components helps reason through risk reduction strategies
Connections
- Parent: risk-management — this formula is the foundational model for understanding risk in Security+
- See also: risk-identification
- See also: vulnerability-assessment