In risk modeling, which equation represents risk?

Risk is about the chance that a threat can exploit a vulnerability and cause harm, and these two factors interact in a way that compounds the risk. In this view, both how strong the threat is and how exposed the system is (the vulnerability) matter, and their effects multiply. The product form captures that risk drops to zero if either component is absent, and rises quickly when both are present at higher levels. For example, a high-threat environment paired with a significant vulnerability yields a high risk, whereas a strong threat with no vulnerability or a severe vulnerability but no credible threat results in much lower risk. Other formulas don’t reflect this interaction: adding threat and vulnerability would not zero out risk if one factor is absent, subtracting implies vulnerability reduces risk, and using vulnerability with impact ignores the likelihood of an actual threat exploiting it.