Overarching: Content: What content does the enterprise have and what are the consequences of protection failures?
Options:
Fill in the table by identifying relevant content types with examples and removing or replacing consequences identified.Basis:
Different mechanisms have different implications in different situations in terms of the consequences of protection failures.
Typical consequences identified include:
- LOW: Wasted time and effort (inefficiency) and Losses reasonably covered by non-cyber insurance (e.g., shrinkage, minor accidents and injuries).
- MEDIUM: Substantial negative publicity, Acts viewed as gross negligence, Substantial enterprise value reduction, Serious injury, Limited environmental damage or societal harm.
- HIGH: Loss of life, Serious environmental or societal damage, Enterprise Collapse, Other dire consequences
For example, a temperature control system might have LOW consequences in a small automated photographic developing facility, a MEDIUM consequence in a food production facility (where redundant tests identify a "bad batch"), and HIGH consequences in a chemical plant where its failure causes a major explosion.
Typically, consequences resulting from information protection failures are associated with a loss of integrity (I), availability (A), confidentiality (C), control over use (U), accountability (T), transparency (R), and custody (S) in an information system, with the ultimate result leading to real-world effects through the impact of the failures on the control system.