According to ISO 31000, “risk” is the effect of uncertainty on objectives. “Threat” is negative risk or risk with negative effect. In the context of information security, the NIST Generic Risk Model can be interpreted by ISO 31000.
THREAT EVENT = THREAT SOURCE EXPLOITS A VULNERABILITY
A threat event describes that a “threat source” may exploit the “vulnerability” of the asset itself or security controls. A threat event is the uncertainty or likelihood of a threat or risk; if the threat event happens, it will cause loss/impact (the negative effect of the threat or risk).
In summary, a threat is a negative risk. It is a function of uncertainty (threat event) and effect (loss/impact).
- Risk (or Threat) = (the likelihood of) Vulnerability (exploited by threat source) X (loss/impact of) Threat
So, The formula above is highly simplified without consistent definitions and becomes a common but misleading formula: Risk = Vulnerability X Threat
- The symbol = should be interpreted as “a function of“, while X as “and“.
The threat event can be measured quantitatively (80%) or qualitatively (H/M/L), so does its loss/impact.
It’s common for people to semi-quantitatively replace H/M/L with numbers or scores, e.g. 3/2/1.
The threat or risk level can be measured in such a way: 3 X 3 = 9.