[dssa] please review: first-draft scale-choices for the "Impact" analysis

["Mike O'Connor" <mike@xxxxxxxxxx>]

hi all,

here's my first try at the reworked "impact" scales from the call today.  there 
are two that we vote on and one that we use to describe the nature of the 
impact for each threat event.

i'm hoping that we'll use some revised version of the first two of these to 
evaluate the list of threat events on our next call.  so please take a hard 
look and offer improvements here on the list over the next few days.  Jorg and 
Jim are especially encouraged to focus on the "Range of impact" scale -- i've 
thrown a few options in there as a starting point, it would be great to get 
those nailed down before we go back to work next Thursday.

thanks,

mikey

 - - - - -

Range of impact

  10 -- sweeping, involving almost all of the users of the DNS (100%? 
>1,000,000,000?)

  8 -- extensive, involving most of the users of the DNS (80%? >100,000,000?)

  5 --wide-ranging, involving a significant portion of users of the DNS (30%? 
>10,000,000?)

  3 --limited, involving some of the users of the DNS (10%?, 1,000,000?)

  1 -- minimal, involving few if any of the users of the DNS (1%?, 100,000?)

Severity of impact

  10 -- Multiple severe or catastrophic adverse effects

  8 -- A severe or catastrophic effect

  5 -- Serious adverse effect

  3 -- Limited adverse effect

  1 -- Negligible adverse effect

Type of impact 

Note: this is not an "evaluation" scale, but rather a description of what the 
impact would be.  Here's a starter list, a heavily-culled version of the 
examples provided in the methodology:

TABLE H-2: EXAMPLES OF ADVERSE IMPACTS
    Harm to operations, e.g.:
        Inability to perform current missions/business functions.
        Direct financial costs.
        Harms (e.g., financial costs, sanctions) due to noncompliance with 
laws, contracts or regulations.
    Harm to assets, e.g.: 
        Damage to or loss of physical facilities.
        Damage to or loss of information systems or networks.
        Damage to or loss of information technology or equipment.
        Damage to or of loss of information assets.
    Harm to individuals, e.g.:
        Injury or loss of life.
        Damage to image or reputation.
    Relational harms, e.g.:
        Damage to trust relationships.
        Damage to reputation (and hence future or potential trust 
relationships).
    Damage to or incapacitation of a critical infrastructure sector.


- - - - - - - - -
phone   651-647-6109  
fax             866-280-2356  
web     http://www.haven2.com
handle  OConnorStP (ID for public places like Twitter, Facebook, Google, etc.)