Certified: The Security+ Prepcast

In our last episode, we explored the two primary methods used to analyze cybersecurity risks: qualitative and quantitative analysis. Today, we are continuing that journey by examining two specific components that show up in both approaches—probability and impact. Together, they determine how serious a risk is, how often it is likely to occur, and what effect it could have on the organization. These two dimensions shape how we rank and respond to threats. You will see them used in everything from simple risk matrices to detailed financial assessments.
Let’s begin with probability. Also referred to as likelihood, probability refers to how likely it is that a particular risk will occur. In qualitative analysis, probability is often expressed in simple terms like low, medium, or high. In quantitative analysis, probability is usually assigned as a percentage or a decimal between zero and one. For example, a risk that is expected to occur once every ten years would have a probability of zero point one.
Determining probability is both an art and a science. It involves analyzing historical data, evaluating threat intelligence, considering system exposure, and consulting with subject matter experts. In many cases, organizations rely on past incident records, external benchmarking, or predictive models to determine how frequently specific types of events have occurred—and how likely they are to occur again under current conditions.
Let’s consider a real-world example. A credit card processing company reviews the number of phishing attempts reported by employees over the past two years. They find that on average, ten percent of staff receive at least one phishing email per month. Based on this, the company determines that the probability of phishing reaching an inbox is high, and the likelihood of a user clicking on a malicious link is medium. These values help the organization prioritize employee awareness training and email filtering tools as primary controls.
Probability assessment is also useful in project planning and third-party risk management. If a vendor has a history of outages or data leaks, that historical pattern increases the estimated likelihood of disruption in your own operations. Probability is not just about guessing—it is about recognizing patterns, understanding dependencies, and adjusting assumptions based on real-world inputs.
Next, let’s turn to exposure factor and impact. The exposure factor represents how much of an asset’s value would be lost if a specific threat occurred. It is usually expressed as a percentage. For example, if an attack would destroy half the value of a customer database, the exposure factor is fifty percent. This is a key part of calculating single loss expectancy in quantitative risk assessments.
Exposure factor depends on the nature of the asset, the type of threat, and the organization’s resilience. For instance, a company with strong backups may face a lower exposure factor in a ransomware attack than a company with no recovery plan. Similarly, a power outage might have a high exposure factor for a manufacturing plant, but a much lower one for a marketing agency that can work remotely.
Let’s look at a practical scenario. A retail company hosts its online store on a web server valued at twenty-five thousand dollars in terms of licensing, configuration, and productivity loss if it were taken offline. If a distributed denial of service attack were to crash the server for a full day, the company estimates that seventy-five percent of its operational value would be lost. That means the exposure factor is seventy-five percent. Multiply that by the asset value, and you get a single loss expectancy of eighteen thousand seven hundred fifty dollars. This becomes the basis for determining whether investments in load balancing or mitigation services are justified.
Beyond the exposure factor, we must also consider the broader concept of impact. Impact is the overall consequence of a risk being realized. This includes not only direct financial loss, but also legal exposure, regulatory fines, loss of customer trust, damage to brand reputation, and interruption of critical services. Some of these can be measured in dollars, while others require qualitative judgment.
Impact assessment helps organizations understand which risks truly threaten their survival or long-term strategy. For example, a data breach involving confidential health information may have a moderate financial cost but a very high reputational impact, especially in the healthcare industry. Similarly, a loss of control system in a manufacturing environment may lead to physical safety issues, which escalate the impact rating dramatically.
Here is a real-world example. A global logistics company experiences a service outage during peak holiday shipping. While the outage only lasts a few hours, the business impact is enormous—millions of dollars in lost orders, missed deliveries, and frustrated customers. Even though the technical failure was brief, the exposure factor was high because of the timing, and the overall impact included both financial and reputational consequences. After that incident, the company invested in redundant systems and performed a full review of their impact assessments to identify other high-exposure areas.
Impact assessment also plays a major role in compliance. Regulators often expect organizations to consider not only the financial loss, but also the potential harm to users or the public. That is why many privacy laws require breach notification even when the financial loss is minimal. The impact is about the harm, not just the cost.
The key takeaway is this: both probability and impact must be evaluated to understand the seriousness of a risk. A high-probability, low-impact risk may be acceptable. A low-probability, high-impact risk—such as a rare but devastating data breach—may require significant mitigation, even if it is unlikely to occur. Many organizations use a heat map or a scoring system to rank risks across these two dimensions. Those that land in the high-probability, high-impact quadrant are addressed first.
From a risk management perspective, combining likelihood and impact creates a clear roadmap for decision-making. It helps determine where to invest, where to monitor, and where to accept risk strategically. And from a governance standpoint, it supports communication between technical teams and executives. Business leaders may not understand encryption algorithms or firewall rules—but they understand probability, exposure, and impact when expressed in clear, relatable terms.
As you prepare for the Security Plus exam, be sure you can define these terms clearly and apply them to simple scenarios. You may be asked to calculate single loss expectancy using asset value and exposure factor. You might be given a risk description and asked to rank its impact or likelihood. Or you may need to explain the difference between exposure and probability in a multiple-choice question.
Here is a helpful tip. When you see a question that includes terms like percentage loss, asset value, or how much damage—you are dealing with exposure factor or impact. If the question describes how often an event could happen, or mentions likelihood, you are working with probability. Recognizing these keywords will help you sort through the question quickly and pick the correct answer with confidence.
For more detailed breakdowns of these topics, visual aids, and practice worksheets, visit us at Bare Metal Cyber dot com. You will find bonus study materials, test prep guides, and a community of learners working toward Security Plus certification. And for the most complete, exam-aligned study experience, grab your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success at Cyber Author dot me.