Impact Assessment

One of the more important pieces of information about an incident is the impact it has on the organization. Unfortunately the true scope and extent of consequences can be difficult to measure since a wide array of tangible and intangible costs can be involved. With this in mind, the VERIS leverages three perspectives of impact in order to provide an understanding and measure of consequence associated with the incident. Together they seek to 1) categorize the varieties of losses experienced, 2) estimate their magnitude, and 3) capture a qualitative assessment of the overall effect on the organization.

Loss categorization

Question Text: What varieties of losses were experienced as a result of this incident? If known, enter a loss estimate for each.

User notes: VERIS divides impact into two basic categories, direct and indirect. Direct impacts are losses directly resulting from the threat actor’s actions against an organizational assets (as opposed to indirect categories of loss that are caused by the actions of others like auditors, customers, shareholders, etc). Indirect impacts are losses resulting from a stakeholder’s (i.e. regulator, customer, auditor, lawyer) reaction to the incident (which are admittedly more difficult to quantify).

Question type: enumerated list (multi-select) for variety; enumerated list (single-select) for rating; text field for amount, min_amount, and max_amount

Variable name: impact.loss (comprised of the variety (string), rating (string), and amount, min_amount, max_amount (number) variables)

Purpose: Identify the types of impact experienced after an incident, and indicate how overall losses are distributed among them.

Developer notes: N/A

Miscellaneous: This is admittedly a bit confusing as documented above. Basically, the user should be able to select all varieties of losses that apply and then be able to provide a relative rating (minor, moderate, major) and/or a quantitative estimate ($) of losses for each variety selected. Furthermore, we allow a triangular distribution (expected, min, max) to be specified for the loss estimates for each variety. All of this is optional, so you can use/record as much or as little of this as you like.

Loss estimation

Question Text: Estimate of total losses attributed to (or expected for) this incident.

User notes: In providing an estimate, consider all the loss varieties identified above.

Question type: text field(s)

Variable name: impact.overall_amount (number), impact.overall_min_amount (number), impact.overall_max_amount (number)

Purpose: Quantifying the impact of an incident (even using broad estimations) is a useful exercise for many reasons. It allows for direct comparison with other incidents and helps to put security-related losses in context with other types of risk. Furthermore, since impact is an essential component of risk, tracking losses is important to fueling risk assessment and treatment efforts. It also provides fodder for some very interesting metrics around spending and losses within the security program.

Developer notes: N/A

Miscellaneous: We allow a triangular distribution (expected, min, max) to be specified for the estimate of overall losses. Those wishing to enable more advanced analysis and modeling are encouraged collect the three values as opposed to a single point estimate.

Estimation currency

Question Text: Select currency for loss estimations provided for this incident.

User notes: In providing an estimate, consider all the loss varieties identified above.

Question type: enumerated list (single-select)

Variable name: impact.iso_currency_code (string)

Purpose: Allows for normalization across estimates using different currencies.

Developer notes: Depending on your circumstances, it may make sense to preset and default currency rather than prompting the user for it each time. We recommend making it as easy as possible for the user to locate and select the appropriate currency code (e.g., a picklist).

Miscellaneous: N/A

Impact Rating

Question Text: How would you rate the overall impact of this incident to the organization?

User notes: In rating the impact, consider all the varieties of losses listed under the “Impact categorization” question.

Question type: enumerated list (multi-select)

Variable name: impact.overall_rating (string)

Purpose: Provides a sense for the relative impact of the incident to the organization. The scale is constructed around the notion of an injury to help answer the simple (but important) question of “How bad did it hurt?”.

Developer notes: Even though the enumeration file only includes the rating level (e.g., “Damaging”), we suggest including the full definition in the user interface to aid common interpretation of the ratings among users.

Miscellaneous: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about the impact of this incident.

User notes: In providing an estimate, consider all the loss varieties identified above.

Question type: text field

Variable name: impact.notes (string)

Purpose: Catch-alls are handy

Developer notes: N/A

Miscellaneous: N/A