From the information security perspective, the people, processes and technology supporting the business are not bulletproof, and their vulnerabilities may be exploited. This scenario is called a threat, which has a certain impact on a company’s assets.
Impact = Vulnerability × Threat
Threats vary in probability and therefore the degree of impact. For example, in a company which handles customers’ personal data online, the probability of human error leading to disclosure of sensitive information might be greater and have a larger business impact than someone bringing down the website.
Additionally, the exploitation of a vulnerable critical system may have a greater impact than that of one used purely for archiving. ...