Likelihood of occurrence describes how probable a specific risk event is within a defined time period. It is one of the two dimensions of risk assessment — the other being the impact level.
In an ISMS, likelihood is typically assessed on a qualitative scale (e.g., rare / occasional / likely / very likely). ISO 27005 recommends considering historical incidents, the current threat landscape, and existing protective measures. The combination of likelihood and impact produces the risk level, which determines whether a risk is accepted, treated, avoided, or transferred.