If you throw a fair dice, you don't know the result in advance. Throw a thousand dices, and it's a different game. Each outcome is associated with a known probability.
When you assess Information Risk, you also don't know what will happen. (Risk is about the future, right?) Worse still, probabilities are unknown. You can guess of course, and so people do: "likelihood 40%" and so on.
What we have is genuine uncertainty. This is an aspect of risk assessment that needs to be better understood.