A risk score is a numerical value assigned to a risk based on a quantitative assessment of its likelihood and impact. By converting qualitative judgements into comparable numbers, risk scores enable objective prioritisation across different risk categories and business units. Common approaches include simple multiplication of likelihood and impact ratings or more sophisticated models that weight additional factors such as velocity and detectability.
Risk scores are most valuable when applied consistently using a well-defined methodology and reviewed regularly. They inform decisions on where to allocate security budgets, which risks require immediate treatment and which fall within the organisation's accepted risk appetite. Transparent scoring criteria also improve communication between technical teams and executive stakeholders.