Once the potential consequences and the likelihood of an event have been independently and rigorously assessed, the information security risk assessment process proceeds to determine the overall risk level. ISO/IEC 27005 states that the level of risk is determined by mathematically or categorically combining the assessed likelihood and consequences for all relevant risk scenarios. The ultimate, strategic purpose of this calculation is to provide risk owners and executive leadership with a standardised, highly defensible metric to prioritise risks across the enterprise and make informed, resource-backed decisions about risk treatment.

Determining risk levels requires establishing criteria that accurately reflect the organisation's operating environment and threat landscape. Likelihood, a critical component of this equation, represents the probability or frequency of a threat event occurring and successfully exploiting a vulnerability within a given timeframe. Depending on the organisational methodology, likelihood can be expressed in probabilistic terms (the percentage chance that an event will occur within a specific timeframe, typically annualised) or in frequentist terms (the notional average number of occurrences within a given period, such as once every ten years).

To accurately capture the vast disparities inherent in cyber risk events, ISO/IEC 27005 recommends using logarithmic scales (e.g., Base 10) for both likelihood and consequence when determining risk levels. A logarithmic scale allows organisations to model high-frequency, low-impact events (such as automated, volumetric botnet scans) alongside exceedingly rare, catastrophic events (such as a nation-state supply chain compromise or an insider threat sabotage) within the same analytical framework. By summing the logarithmic indices of likelihood and consequence, organisations can calculate a consolidated risk value that accurately reflects exponential increases in severity, avoiding the flattening effect of linear addition.

When organisations rely on non-numerical matrices to determine risk levels, ISO/IEC 27005 explicitly cautions against using symmetrical grids. A risk matrix that is perfectly symmetrical about its diagonal assumes that a high-likelihood/low-consequence event represents the same business exposure as a low-likelihood/high-consequence event. In reality, an organisation's risk profile is normally asymmetrical. Trivial events are generally the most frequent, and expected frequency typically reduces as consequences increase. Therefore, the matrix used to determine the final risk level must be weighted to reflect the organisation's specific aversion to catastrophic outcomes, ensuring that existential threats always produce the highest risk level, regardless of their perceived improbability.

The primary challenge in determining accurate risk levels lies in navigating the triad of uncertainty: personal uncertainty (the inherent cognitive bias of the human assessor), methodological uncertainty (flaws in simplistic modelling tools or poorly designed matrices), and systemic uncertainty (a fundamental lack of historical data regarding novel, emerging threat vectors). The rapid evolution of the threat landscape, particularly the weaponisation of artificial intelligence by threat actors to automate phishing campaigns and exploit discovery, means that historical frequency data is increasingly unreliable for predicting future likelihood.

How to mathematically or categorically score a risk. However, these mechanics don't exist in a vacuum; they're shaped by the organisation’s governance (appetite, tolerance, and acceptance criteria).

1. Risk Appetite (The Strategic Direction): Risk appetite is the highest-level governance concept. It is the amount and type of risk an organisation is broadly willing to pursue or retain to achieve its strategic objectives. The Board of Directors sets it.

2. Risk Tolerance (The Operational Boundaries):  While appetite is a broad strategic statement, tolerance is the specific, measurable level of variance the organisation will accept around a specific objective.

3. Risk Assessment Criteria (The Measurement Mechanics): This is exactly what we have described above. Once appetite and tolerance are defined, the organisation must establish the mathematical or categorical rules for measuring likelihood and consequence to ensure risks are scored consistently.

4. Risk Acceptance Criteria (The Decision Thresholds): Risk acceptance criteria are the definitive thresholds that determine whether a scored risk is acceptable to the business or unacceptable and requires active treatment (mitigation, transfer, or avoidance).