Risk assessment plays a key role in the information security management of organizations to protect their assets against cyber threats and reduce the risk of attacks to their infrastructures. One key element in the risk assessment process is the determination of the probability of occurrence of elementary attack actions. For that, this paper suggests a novel model which considers vulnerability severities, attack scenarios and various potential actors and their motivations. Based on the results obtained from the new model we further infer the most likely attack scenarios. An SDN-based network infrastructure is taken as an example scenario to demonstrate our new approach.