Develop Impact Criteria
Learning Objectives
After completing this unit, you’ll be able to:
- Explain how to evaluate risk using Impact and Expectancy.
- Identify how to develop Impact Criteria for the Mission, Operational and Financial Objectives, and Obligations.
Evaluate Risk Using Impact and Expectancy
The Center for Internet Security, Inc.’s (CIS®) Risk Assessment Method (RAM) Version 2.1 (v2.1) evaluates risk using Risk = Impact x Expectancy. Using this calculation, you as a risk assessor can evaluate both currently observed risks and recommended CIS Safeguards to determine whether recommended Safeguards are reasonable. Observed risk is the current risk as it appears to the risk assessor.
Recall that the CIS created CIS Critical Security Controls (CIS Controls) Implementation Groups (IG1, IG2, and IG3), which identify a subset of the CIS Controls that are applicable to an organization with a certain risk profile. The following example applies to an organization in IG2. For documentation and workbooks relevant to each IG, see here.
Create Definitions for Impact
Recall that the first step of the CIS RAM is to develop the Risk Assessment Criteria. To define this criteria, you first develop Impact Criteria. Let’s follow along with Sean, a risk assessor at a car manufacturing company called Custom Car Company (CCC), as he uses the CIS RAM to define Risk Assessment Criteria. Sean uses the CIS RAM for IG2 v2.1 Companion Workbook, which is an Excel file that helps him populate Impact Criteria, Enterprise Parameters (covered in the following unit), and Risk Register Controls (covered in the Risk and Safeguard Modeling and Evaluation module).
The impacts in the scenarios below are just one example of many impacts your organization may want to consider.
First, Sean defines impacts, taking into account CCC’s Mission (the benefit that interested parties gain from CCC), Operational and Financial Objectives (CCC’s goals), and Obligations (to protect others from harm). In the CIS RAM, the Impact Magnitudes range from Negligible to Catastrophic using the following definitions.
- Negligible: If any impact occurs, it isn’t in evidence, or it is so low that it could be ignored.
- Acceptable: While this impact is in evidence and cannot be ignored, it doesn’t require repair, correction, or compensation. The normal course of business can correct the issue.
- Unacceptable: The impact requires repair, correction, or compensation that is accomplished with less than a major effort or investment.
- High: The impact requires significant repair, correction, or compensation and leads to a catastrophic result if it’s not addressed.
- Catastrophic: The impact leads to an irreparable loss.
Mission Impact Magnitude
To develop Impact Criteria for the Mission, Sean describes the benefit that CCC provides its customers, clients, constituents, and the public: “CCC reliably produces just-in-time, custom cars that meet demanding resiliency and design specifications, within market-leading turnaround times.” He then imagines what happens if CCC suffers a cybersecurity incident. He describes how he determines that the impacts to his Mission are acceptable or unacceptable.
| Impact Magnitude | Prompt | Response |
|---|---|---|
|
1. Negligible |
What evidence suggests that your Mission is unaffected? |
All orders are produced within specifications and on time. |
|
2. Acceptable |
What evidence suggests that your Mission is compromised but does not require correction? |
All orders are produced within specifications and on time, but some can require unplanned effort to stay within tolerance metrics. |
|
3. Unacceptable |
What evidence suggests that your Mission is compromised and requires correction through the normal course of business? |
Few orders each quarter (outside of our tolerance metrics) can miss targets but could be corrected with adjustments or discounts. |
|
4. High |
What evidence suggests that your Mission is compromised and requires extraordinary efforts to restore it? |
We repeatedly miss targets outside of tolerance metrics, requiring regular adjustments. |
|
5. Catastrophic |
What evidence suggests that your Mission is compromised so badly that it could not be achieved? |
We can’t meet our Mission. |
Operational Objectives Impact Magnitude
Next, to develop Impact Criteria for CCC’s Operational Objectives, Sean considers what business goals CCC attempts to achieve. He states CCC’s Operational Objectives as follows: “To maintain CCC’s market position as the best custom car manufacturer”. He imagines that CCC suffers a cybersecurity incident, and describes how he determines that the impacts to CCC’s Operational Objectives were acceptable or unacceptable.
| Impact Magnitude | Prompt | Response |
|---|---|---|
|
1. Negligible |
What evidence suggests that your Operational Objectives are unaffected? |
We consistently ranked #1 in all categories in the annual Custom Car World magazine poll. |
|
2. Acceptable |
What evidence suggests that your Operational Objectives are compromised but do not require correction? |
We ranked #1 in only one category of the Custom Car World magazine poll for 1 year. |
|
3. Unacceptable |
What evidence suggests that your Operational Objectives are compromised and require correction through the normal course of business? |
We did not rank #1 in any category of the Custom Car World magazine poll for 1 year. |
|
4. High |
What evidence suggests that your Operational Objectives are compromised and require extraordinary efforts to restore them? |
We did not rank in the top three in any category of the Custom Car World magazine poll for 2 years or more. |
|
5. Catastrophic |
What evidence suggests that your Operational Objectives are compromised so badly that they could not be achieved? |
We are unable to rank well in the annual Custom Car World magazine poll. |
Financial Objectives Impact Magnitude
Next, to develop Impact Criteria for the Financial Objectives, Sean considers what unexpected cost outlays CCC could or could not tolerate. He states CCC’s Financial Objectives as follows: “To achieve our profit goals each year”. He imagines that CCC suffers a cybersecurity incident, and describes how he determines that the impacts to CCC’s Financial Objectives were acceptable or unacceptable.
| Impact Magnitude | Prompt | Response |
|---|---|---|
|
1. Negligible |
What evidence suggests that your Financial Objectives are unaffected? |
We don’t pay attention to a problem if it resulted in an annual loss of up to US$1,000 of unexpected financial impact. We normally ignore budget variances smaller than this amount. This is the maximum impact we can suffer and call it Negligible. |
|
2. Acceptable |
What evidence suggests that your Financial Objectives are compromised but do not require correction? |
If the incident resulted in an annual financial loss of more than $1,000 but less than $10,000, we find it Acceptable and don’t invest to prevent it. |
|
3. Unacceptable |
What evidence suggests that your Financial Objectives are compromised and require correction through the normal course of business? |
Unexpected annual losses of $10,000 up to $500,000 take an entire fiscal year to recover from. |
|
4. High |
What evidence suggests that your Financial Objectives are compromised and require extraordinary efforts to restore them? |
Beyond $500,000 in unexpected annual losses, we need to make significant changes to how we do business (for example, through layoffs, new efficiencies, or investments) to recover from that loss. If we suffered unexpected losses of $5,000,000, it puts us out of business. |
|
5. Catastrophic |
N/A |
There’s no reason to provide a value for this Impact Magnitude, since once we cross into this territory, there is the potential for significant and extreme financial losses. |
Obligations Impact Magnitude
Finally, to develop Impact Criteria for CCC’s Obligations, Sean considers what harm may forseeably come to others as a result of a cybersecurity incident. He states CCC’s Obligations as follows: “To protect our customers from harm due to loss of our intellectual property, such as radio software and hands-free phone software, or AI technology that provides services such as blind spot detection”.
| Impact Magnitude | Prompt | Response |
|---|---|---|
|
1. Negligible |
Describe a condition where others are not harmed. |
No customers suffer due to a loss of our competitive advantage. |
|
2. Acceptable |
Describe a condition where others don’t require correction or compensation if harmed. |
One or few customers may be concerned about our potential loss of competitive advantage, but no harm results. |
|
3. Unacceptable |
Describe a condition where only a few individuals are harmed within tolerance. |
One or few customers suffer due to a minor loss of our competitive advantage, but they could be made whole within a fiscal year. |
|
4. High |
Describe a condition where many others are harmed but to a degree that you could correct, or where few others are harmed but to a degree that others always have a small degree of impairment. |
Many customers suffer due to a minor loss of our competitive advantage, or one to few customers suffer harm that requires significant business investment or planning to recover. |
|
5. Catastrophic |
Describe a condition where others are irreparably harmed. |
We aren’t able to protect our customers from losses due to intellectual property theft. |
Sum It Up
You now have a better understanding of how to define Impact Magnitudes for your organization’s Mission, Operations and Financial Objectives, and Obligations. Now let’s turn to the next step in defining the Risk Assessment Criteria: defining Enterprise Parameters.
