the potential for the occurrence of an adverse event if no mitigating action istaken (i.e., the potential for any applicable threat to exploit a system vulnerability). (See Acceptable Risk, Residual Risk, and Minimum Level of Protection.)

Source: NIST SP 800-16 | Category: