The possibility that a threat causes meaningful harm once likelihood, impact, and existing controls are considered.
Risk is the possibility that something harmful will happen and matter to the organization. In plain language, it is the chance that a threat could affect an important asset, process, or service in a way that creates real business, operational, legal, or safety consequences.
Risk matters because security teams do not have infinite time or budget. They need a way to decide what deserves immediate action, what can be reduced over time, and what can be accepted temporarily with clear visibility.
It also matters because cybersecurity is contextual. The same weakness can represent very different levels of concern depending on who can reach it, what system it affects, how important that system is, and what controls already exist around it.
Risk appears in architecture reviews, vendor assessments, board reporting, remediation planning, policy exceptions, and audit response. Teams use risk language when they decide whether to accept exposure, add compensating controls, or accelerate a major fix.
The concept also appears during incident response. Security leaders often need to explain not only what happened, but also what business risk now exists, how long that risk remains open, and what actions are being taken to reduce it.
| Term | Core question | Example way to think about it |
|---|---|---|
| Threat | What could cause harm? | A phishing campaign, insider misuse, or outage |
| Vulnerability | What weakness could be used? | A missing patch, weak access control, or exposed service |
| Risk | How much does that combination matter here? | How likely and damaging it would be in this environment |
| Security Control | What reduces the risk? | MFA, segmentation, backups, monitoring, or tighter privilege |
An organization runs a legacy internal application with a known weakness. Because the application is reachable only from a tightly restricted network segment and monitored closely, the risk may be lower than the same weakness on a public customer portal, even though the technical flaw is similar.
Risk is not the same as Threat or Vulnerability. A threat is a source of possible harm. A vulnerability is a weakness. Risk is the larger judgment about what harm could realistically happen in context.
It is also a mistake to think risk can always be eliminated. Most organizations manage risk rather than removing every possible exposure, which is why layered Security Controls and clear Mitigation plans matter.