| 1. The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of an event and its consequence.
(Source: ISO/IEC 13335-1:2004)
2. An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.
(Source: RFC 2828)
3. The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.
(Source: NIST SP 800-30) |