Most important step in measuring level of risk is to determine the adverse impact subsequent from a successful threat exercise of a vulnerability. Before initiating the impact analysis, it is compulsory to obtain the following necessary information.
- System mission (e.g., the procedures performed by the IT system)
- System and data criticality (e.g., the system’s value or significance to an organization)
- System and data sensitivity.
This information can be attained from existing organizational documentation, for example the mission impact analysis report or asset criticality assessment report. A mission impact analysis(also recognized as business impact analysis [BIA] for some software companies in India) prioritizes the impactlevels related with the compromise of an organization’s information assets based on aqualitative or quantitative valuation of the sensitivity and criticality of those assets. An assetcriticality assessment recognizes and prioritizes the sensitive and crucial organization information assets (e.g., hardware, software, systems, services, and related technology assets) that pillar the organization’s critical missions.
Few tangible impacts can be measured quantitatively in lost revenue, the price of repairing thesystem, or the level of effort needed to correct problems caused by a fruitful threat action.Additional impacts (e.g., loss of public confidence, loss of credibility, damage to an organization’sinterest) cannot be calculated in specific units but can be qualified or labelled in terms of high,medium, and low impacts. Because of the generic nature of this discussion, this guide entitlesand describes only the qualitative classifications—high, medium, and low impact
Magnitude of Impact : Impact Definition
High Exercise of the vulnerability
- may result in the exceedingly costly loss ofmajor tangible assets or resources;
- may significantly disturb, harm, orimpede an organization’s mission, reputation, or interest;
- may resultin human death or severe injury.
Medium Exercise of the vulnerability
- may result in the pricy loss of tangibleassets or resources;
- may violate, harm, or obstruct an organization’smission, reputation, or interest; or
- may result in human harm.
Low Exercise of the vulnerability
- may result in the loss of some tangible assets or resources or
- may strikingly affect an organization’s mission, reputation, or interest.
Quantitative versus Qualitative Assessment
In steering the impact analysis, consideration should be given to the benefits and shortcomings of quantitative versus qualitative assessments. The foremost advantage of the qualitative impact analysis is that it priorities the risks and classifies areas for instant improvement in addressing the vulnerabilities. The shortcoming of the qualitative analysis is that it does not deliver specific quantifiable measurements of the magnitude of the impacts,consequently making a cost-benefit analysis of any commended controls difficult.The major advantage of a quantitative impact analysis is that it delivers a dimension of the impacts’ magnitude, which can be used in the cost-benefit analysis of recommended controls.The shortcoming is that, depending on the numerical ranges used to express the measurement,the connotation of the quantitative impact analysis may be unclear, wanting the result to be interpreted in a qualitative manner. Supplementary factors often must be considered to determine the magnitude of impact. These may include, but are not limited to—
- An approximation of the occurrence of the threat-source’s exercise of the vulnerability over a quantified time period (e.g., 1 year)
- An approximate cost for each incidence of the threat-source’s exercise of the vulnerability
- A numerical factor based on a subjective analysis of the comparative impact of a specificthreat’s exercising a specific vulnerability.
Business impact analysis (BIA) is a methodical process to determine and evaluate the prospective effects of an interruption to critical business operations as a result of a catastrophe, accident or emergency. A BIA is an indispensable component of business continuance plan of almost any software company in India; it comprises an exploratory component to disclose any vulnerabilities and a planning component to cultivate strategies for minimising risk.