<P> There are two things in this definition that may need some clarification . First, the process of risk management is an ongoing, iterative process . It must be repeated indefinitely . The business environment is constantly changing and new threats and vulnerabilities emerge every day . Second, the choice of countermeasures (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected . </P> <P> Risk analysis and risk evaluation processes have their limitations since, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats . The analysis of these phenomena which are characterized by breakdowns, surprises and side - effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident . </P> <P> Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset . A threat is anything (man - made or act of nature) that has the potential to cause harm . </P> <P> The likelihood that a threat will use a vulnerability to cause harm creates a risk . When a threat does use a vulnerability to inflict harm, it has an impact . In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk . The remaining risk is called "residual risk". </P>

How is risk defined in the context of information technology and information security