Which factors determine risk likelihood and impact in a risk assessment?

Risk likelihood and impact come from looking at both how probable a threat is and how severe the consequences would be if it materializes. The factors that shape likelihood include threat prevalence (how often the threat occurs), vulnerability exploitability (how easy it is to take advantage of a flaw), exposure (how exposed the asset is to threats), and the effect of existing controls in reducing or containing a risk. For impact, consider the asset’s value, how a disruption would affect missions, and any regulatory penalties that could result from the incident. Put together, these elements give a complete view of risk after controls are considered, since controls can lower either the chance of an event or the severity of its impact. Options that focus only on asset value, or only on penalties, or rely on a single metric like number of employees, miss important pieces of the risk picture and don’t capture how likelihood and impact interact.