past. The risk assessor may rely on statistical data or examples
            from other industries to make likelihood determinations.

            An essential factor in vulnerability assessment is the capability
            of the adversary. An adversary that is motivated and skillful is a
            much higher risk than a dispassionate hacker that is just
            wandering around seeking targets of opportunity.

            Insurance companies rely on empirical data and historical trends
            to predict risk. Still, in the information security world, the threat
            environment is under continuous change, and the effectiveness
            of controls can be hard to assess. We have seen companies that
            had no data breaches for years suddenly fall victim to many
            violations in a few days. We have seen products that were once
            thought to secure.



            Impact
            Just like likelihood, determining the level of impact an event
            would have is a very challenging and elusive calculation. It is
            tough to know how much damage an event would cause if it
            were to happen, and most often, the estimates are very
            inaccurate. Organizations frequently underestimate the loss - not
            considering the damage to reputation, customer confidence, or
            employee morale correctly. The forecast of impact must
            consider the maturity of the business and its ability to respond
            quickly and effectively to an incident, but also must consider
            factors such as the health of the relationship with customers and
            regulators, financial depth, politics, labor troubles and extent of
            vulnerabilities.