If you look at the Management Plan for any of our modules, you will see columns on the right that indicate that Risk Scores are based on Severity & Probability (some people prefer to say likelihood & impact). Essentially, that is how we define our Risk Scores, and how you should explain it. We look at the likelihood that this particular issue could lead to a data breach or larger problem, and the severity of impact that the issue could have. The calculation itself is based off of a proprietary algorithm, however, which we do not make publically available.
