If an incident occurs, it’s important to be able to quantify the damage caused.

Take a moment to think about whether you’ve personally ever experienced a security breach. In some cases, you might find out someone else is trying to access your email account and are encouraged to change your password. In other cases, you might find out that someone else has been using your credit card, a much more damaging breach. Not every incident will be as damaging as this, and the reaction needs to be appropriate, but how do you decide what appropriate is?

Decorative image: Two workers looking concerned while viewing a device; other screens behind them

Quantification process

When an incident occurs, a simple quantification process can be used to assess the effect an incident has had on an organisation. The process has four steps that, once carried out, result in an impact score. The process goes as follows:

Assess the negative consequences.
Assess the disruption and business down time.
Assess the resolution timeframe.
Prioritise the reaction, considering effort and resources.

Impact scoring

Each aspect of the incident is assessed, and a score between 1 and 4 is allocated to it in relation to its business impact and the process followed as mentioned earlier. For example, if the scope of the incident affected more than 50% of customers or systems, the score might be 3, however, if just one customer is affected, the score might be 1.

There are three different ratings an impact can be scored on:

Credibility - The credibility rating relates to any negative PR or other consequences. The greater the consequences, the higher the score
Operations - The operations rating might be 1 for no work interference, through to interference with core functions of the organisation scoring 4
Urgency - The urgency rating relates to the timeframe over which the resolution was required

Resolution of the impact in a short space of time would warrant a low score, whereas, if the incident was ongoing, it would warrant a high score. A score of 1 would be given if the priority to resolve the issue is very low, whereas an incident demanding an immediate and sustained effort using all available resources in the organisation or IRT might score 4.

NCSC guidance on impact scoring

The NCSC have created some guidance for you to reference when trying to quantify an impact in your organisation. Here is an overview of that guidance now:

NCSC Guidance:

Critical (4)

Over 80% of staff (or several critical staff/teams) unable to work
Critical systems offline with no known resolution
High risk to / definite breach of sensitive client or personal data
Financial impact of X
Severe reputational damage - likely to impact business long term

High (3)

50% of staff unable to work
Risk of breach of personal or sensitive data
Non-critical systems affected, or critical systems affected with known (quick) resolution
Financial impact of X
Potential serious reputational damage

Medium (2)

20% of staff unable to work
Possible breach of small amounts of non-sensitive data
Low risk to reputation
Small number of non-critical systems affected with known resolutions

Low (1)

Minimal, if any, impact
One or two non-sensitive / non-critical machines affected
<10% of non-critical staff affected temporarily (short term)

Key points

Let’s take a look at some of the key points to take with you as you move through the rest of this Course and lesson:

Responding to a cybersecurity incident
NIST cybersecurity incident response plan
NCSC Security incident management process
Quantification process and impact scoring
NCSC guidance on impact scoring

Conclusion

Now you understand how an incident can be quantified, you can find out how to identify a security incident. The sooner an incident is identified, the lower its impact score might be, so you can see how important this is.

Minor disruption or worse