Re: [dssa] please review: first-draft scale-choices for the "Impact" analysis

[Cheryl Langdon-Orr <langdonorr@xxxxxxxxx>]

After just "a quick read" I'm happy to go ahead next call and use this
modified criteria for our analysis...


Cheryl Langdon-Orr
(CLO)



On 17 February 2012 06:04, Mike O'Connor <mike@xxxxxxxxxx> wrote:

> hi all,
>
> here's my first try at the reworked "impact" scales from the call today.
>  there are two that we vote on and one that we use to describe the nature
> of the impact for each threat event.
>
> i'm hoping that we'll use some revised version of the first two of these
> to evaluate the list of threat events on our next call.  so please take a
> hard look and offer improvements here on the list over the next few days.
>  Jorg and Jim are especially encouraged to focus on the "Range of impact"
> scale -- i've thrown a few options in there as a starting point, it would
> be great to get those nailed down before we go back to work next Thursday.
>
> thanks,
>
> mikey
>
>  - - - - -
> *
> *
> *Range of impact*
>
>   10 -- sweeping, involving almost all of the users of the DNS (100%?
> >1,000,000,000?)
>
>   8 -- extensive, involving most of the users of the DNS (80%?
> >100,000,000?)
>
>   5 --wide-ranging, involving a significant portion of users of the
> DNS (30%? >10,000,000?)
>
>   3 --limited, involving some of the users of the DNS (10%?, 1,000,000?)
>
>   1 -- minimal, involving few if any of the users of the DNS (1%?,
> 100,000?)
>
> *Severity of impact*
>
>   10 -- Multiple severe or catastrophic adverse effects
>
>   8 -- A severe or catastrophic effect
>
>   5 -- Serious adverse effect
>
>   3 -- Limited adverse effect
>
>   1 -- Negligible adverse effect
>
> *Type of impact *
>
> Note: this is not an "evaluation" scale, but rather a description of what
> the impact would be.  Here's a starter list, a heavily-culled version of
> the examples provided in the methodology:
>
> TABLE H-2: EXAMPLES OF ADVERSE IMPACTS
>     Harm to operations, e.g.:
>         Inability to perform current missions/business functions.
>         Direct financial costs.
>         Harms (e.g., financial costs, sanctions) due to noncompliance with
> laws, contracts or regulations.
>     Harm to assets, e.g.:
>         Damage to or loss of physical facilities.
>         Damage to or loss of information systems or networks.
>         Damage to or loss of information technology or equipment.
>         Damage to or of loss of information assets.
>     Harm to individuals, e.g.:
>         Injury or loss of life.
>         Damage to image or reputation.
>     Relational harms, e.g.:
>         Damage to trust relationships.
>         Damage to reputation (and hence future or potential trust
> relationships).
>     Damage to or incapacitation of a critical infrastructure sector.
>
>
> - - - - - - - - -
> phone  651-647-6109
> fax   866-280-2356
> web  http://www.haven2.com
> handle OConnorStP (ID for public places like Twitter, Facebook, Google,
> etc.)
>
>