This is a revision of another question found here:
Consider a criminal pondering the commission of a crime, C. It could be launching a cyber-attack or embezzling funds.
How likely is it that the attempt will succeed? Call it P(S). How likely is it that a malefactor will attempt C in the next year? Call it P(A)
Assume that experts provide credible estimates for P(S) and P(A). If we assume the community of malicious actors is uniformly competent and that every attempt is equally likely to succeed, how likely is it that a successful attempt will occur? It does not seem credible to assume that S and A are independent. Although the hardness of the problem does not depend on the number of attempts, it does not seem reasonable to assume the converse. If the crime is difficult to commit (requiring intricate timing and deep knowledge, say) fewer attempts are likely to be made.
What is the best way to model what might be called the “threat potency”?
The question is not well-formed. If we assume that there is either 0 or 1 attempt in the next year, and you know the probability $p$ that there will be 1 attempt in the next year (perhaps this is what you meant by "P(A)", or perhaps not), and you know the probability $q$ that the attempt will succeed if it is attempted (perhaps what you had in mind with "P(S)"), then the probability of a successful attempt is exactly $pq$.
I think it's easier to formulate this as a conditional probability. Let $\mathcal{A}$ denote the event that there is an attempt, and $\mathcal{S}$ the event that there is a successful attempt; then experts are presumably giving us the probability $\Pr[\mathcal{A}]$ and $\Pr[\mathcal{S} \mid \mathcal{A}]$. With that formulation, it absolutely is correct that
$$\Pr[\mathcal{S} \land \mathcal{A}] = \Pr[\mathcal{S} \mid \mathcal{A}] \times \Pr[\mathcal{A}],$$
and by the structure of "attempt" and "success", we have
$$\Pr[\mathcal{S}] = \Pr[\mathcal{S} \land \mathcal{A}].$$
No bogus independence assumptions are made in this calculation.
But this only works if we know that there will be either 0 or 1 attempt. If there might be multiple attempts, and we don't know anything about the distribution of number of attempts (if it is non-zero), then it is not possible to predict the number of successful attempts. In that case, perhaps you want to compute the expected number of successful attempts. This requires an understanding of the expected number of attempts and the probability that an attempt is successful (assuming this is the same for all attempts -- which seems quite dubious).
Overall, this modelling exercise seems on rather shaky foundations, and it seems likely you are making dubious assumptions that probably don't capture the real world very well. So while you can compute mathematical expressions, my guess is that it's likely the predictions might be unreliable and of poor quality because of the failure to accurately model the real-world phenomena.