Fri Apr 8 06:47:16 PDT 2016

Overarching: Content: What content does the enterprise have and what are the consequences of protection failures?


Fill in the table by identifying relevant content types with examples and removing or replacing consequences identified.


Different mechanisms have different implications in different situations in terms of the consequences of protection failures.

Typical consequences identified include:

  • LOW: Wasted time and effort (inefficiency) and Losses reasonably covered by non-cyber insurance (e.g., shrinkage, minor accidents and injuries).
  • MEDIUM: Substantial negative publicity, Acts viewed as gross negligence, Substantial enterprise value reduction, Serious injury, Limited environmental damage or societal harm.
  • HIGH: Loss of life, Serious environmental or societal damage, Enterprise Collapse, Other dire consequences

For example, a temperature control system might have LOW consequences in a small automated photographic developing facility, a MEDIUM consequence in a food production facility (where redundant tests identify a "bad batch"), and HIGH consequences in a chemical plant where its failure causes a major explosion.

Typically, consequences resulting from information protection failures are associated with a loss of integrity (I), availability (A), confidentiality (C), control over use (U), accountability (T), transparency (R), and custody (S) in an information system, with the ultimate result leading to real-world effects through the impact of the failures on the control system.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved