Risk can be measured in a variety of ways, depending on the risk being measured. Generally, risk is measured in terms of the probability of an event occurring and its associated impact. For example, an information security risk metric might measure the likelihood that a system or data will be compromised as a result of a security breach.

This could be measured by evaluating the potential for a successful attack, the consequences of an attack, and the security controls in place to mitigate the risk. Other common metrics used to measure information security risk include the number of vulnerabilities, the number of incidents, and the severity of incidents.