Quantify Damage (Impact)

Step 8 in the recommended risk assessment process is "Quantify damage". This page expands on that step.

It is important to consider the business use of the system in question and its criticality to the business function when quantifying the risk impact. It is important to consider the need for access to the data along with the need for data confidentiality and integrity along with the potential damage if these things are compromised.

Damage levels

Here are some damage categories. The choice of damage categories are up to the organization.

  1. Critical - high damage (other descriptions may include crucial, serious, severe, essential) - Death or critical loss that would seriously disrupt the business
  2. Important - medium damage - Injury or loss that disrupts the business.
  3. Standard - low damage - Minor injury or temporary loss of service that has minimal affect on business operations.
  4. Common - no to minimal damage - Temporary service loss or loss of data that requires minor administrative action to remedy.

Damage types:

  • Physical
  • Loss, unauthorized modification, or destruction of data.
  • Disclosure of sensitive information.
  • Accidental modification or destruction of data.
  • Loss or degredation of service.

Damage Consequences:

  • Loss of life
  • Destruction of property
  • Loss or damage to equipment
  • Loss of business opportunity
  • Loss of sensitive information
  • Loss of money
  • Loss of revenue due to the incident such as loss of sales.
  • Loss of productivity
  • Loss of staff time to fix the problem.
  • Damage to reputation

To calculate cost per incident, instead of using an exact asset value for equipment cost, I would rather calculate the damage done per incident including all costs such as damage to equipment, and loss of productivity and use that as the asset value. Types of losses per incident should be quantified and used to calculate the total loss per incident.

Examples

These examples are not intended to be complete but just to give a feel for damage estimates. These values do not reflect actual probable loss and in no way indicate one security control or vulnerability is more important than another.

ThreatLikelihoodObjects threat is againstTotal probabilityControl ReductionDamage
Workstation hard drive failure10% per year400 workstations40 per yearBackups$100 for drive + $200 productivity loss
Server hard drive failure10% per year10 servers1 per yearRAID drives and Backups$300 for drive. $200 to restore operation
Virus incidents15 percent per year40060 per yearUser education, block email dangerous attachments$100 to fix, $100 loss of productivity and 50% chance of loss of data valued at $500
Server hack7 percent per year10 servers70%Faster updates, additional monitoring, intrusion detection/prevention SW, stronger auditing, incident response$500 to fix + 50% chance loss of data valued at $5000
Theft of laptop5% per year301.5 per yearEncrypt data on laptops$2000 loss of equipment + 50% chance loss of data valued at $1000
Loss of data confidentiality through wireless sniffing1% per year1 network1%Limit wireless use to approved technologies through strong policies.30% chance loss of data valued at $1000