Risk is a combination of the probability of an event and its
            consequence ISO/IEC 27002

            The possibility that a particular threat will adversely impact an
            Information System by exploiting a specific vulnerability.
            CNSSI 4009

            The NIST SP800-30 described IT Risk in this way:
            IT-related risks arise from legal liability or mission loss due to
            —

            1. Unauthorized (malicious or accidental) disclosure,
            modification, or
            destruction of information
            2. Unintentional errors and omissions
            3. IT disruptions due to natural or man-made disasters
            4. Failure to exercise due care and diligence in the
            implementation and
            operation of the IT system.

            As can be seen, the risk is a combination of impact, likelihood,
            threats, vulnerabilities, and entity or assets (an asset is anything
            of value to an organization). Risk is usually measured as the
            amount of damage an asset would suffer in an adverse situation.
            Even though the risk is also an opportunity, as seen earlier in
            this chapter, we are going to examine risk more from the
            negative side throughout the rest of this chapter.

            Risk management is based on the three elements of risk
            assessment, risk response, and risk monitoring. However, before
            we can even begin to assess risk, it is necessary to identify the
            assets that need to be protected and then determine the value of