According to ISO/IEC 13335- 1, information security risk refers to the potential damage to the organization caused by the threat of using a vulnerability of an asset or a group of assets, which is reflected in a series of emergencies (or security incidents) caused by the threat of using the vulnerability.
Assets, threats and vulnerabilities are the basic elements of information security risks and the basic conditions for the existence of information security risks. Without assets, threats have no targets to attack or destroy; There is no threat, although the assets are valuable and the loopholes are serious, security accidents will not happen; If there are no loopholes in the system, there will be no links available for threats and security incidents will not occur.
Risk can be formally expressed as: R=(A, t, v), where r represents risk, a represents assets, t represents threats, and v represents vulnerabilities.