Risk score provides a quantifiable measure of the potential negative consequences that the security breach might have on the organization. It combines the likelihood of a threat exploiting a vulnerability with the severity of the resulting impact on the organization. This allows stakeholders to understand the severity of the incident in a standardized format, and make informed decisions on the allocation of resources for remediation and future prevention strategies. Other options, like duration or classification, are also important but don't directly articulate the degree of adverse effects on the organization as effectively as the risk score. The number of affected users, while significant, might not always reflect the complete severity of the incident if the actual risk to the organization is low.