It is very common in the security world to point out "risks" associated with security controls. I believe this is not quite right, or at least second-order risk that is worth understanding.

In its purest form, we think of risk as the likelihood that something bad will happen. In information security, this thinking usually applies to "something bad" being a breach of confidentiality, integrity, or availability associated with some content or system. Initially, it is worth thinking about this risk as if there were no controls in place – again, in some sort of "pure" form – if a system were completely exposed, what is the likelihood that we will have a breach?

Of course, (perhaps contrary to popular belief) no system is completely uncontrolled. It may be worth talking about constraints/scope of discussion, but I will save that for a later date never. So as soon as we implement some controls (turn things off, for example) then our corresponding risk is reduced. That is the effect of controls – to reduce our risk.

Now, take the case of a control that can be compromised in order to then breach the system. We know (I think) that the corresponding risk was reduced in some part simply through implementing a control (otherwise it isn’t a control). And now we have an attack against a control (rather than the system being protected). In essence, this attack makes the control less effective, which means that the risk may not be reduced as much, but is (presumably) still reduced somewhat.

So, when we discuss "risk" of breach, it is worth understanding the risk associated with an exposed system versus the ‘lack of risk reduction’ that may apply to a control weakness.

When thinking about "risks" associated with controls, then, it is more useful to think of the strength of the control (or its corresponding weakness) as a "risk factor".