Which statement best describes the overall concept of risk in this context?

In security, risk comes from the chance that a threat could exploit a vulnerability and cause harm, and how bad that harm would be. That means risk combines how likely something bad is to happen with how severe the consequences would be. In practice, it’s often expressed as likelihood times impact, capturing both probability and severity of impact. If there were no threats, risk would be zero, but in real environments threats exist, and risk depends on how likely those threats are to exploit vulnerabilities and how significant the resulting damage would be. A vulnerability by itself isn’t risk; it’s a factor that can raise risk if a threat is likely to exploit it. Regulatory compliance isn’t risk itself; it’s about meeting standards and can influence risk, but it doesn’t define how much risk there is. So the statement that risk is the combination of likelihood and impact best describes the overall concept.