Minor disruption or worse

If an incident occurs, it’s important to be able to quantify the damage caused.

Take a moment to think about whether you’ve personally ever experienced a security breach. In some cases, you might find out someone else is trying to access your email account and are encouraged to change your password. In other cases, you might find out that someone else has been using your credit card, a much more damaging breach. Not every incident will be as damaging as this, and the reaction needs to be appropriate, but how do you decide what appropriate is?

Quantification process 

When an incident occurs, a simple quantification process can be used to assess the effect an incident has had on an organisation. The process has four steps that, once carried out, result in an impact score. The process goes as follows: 

1. Assess the negative consequences.
2. Assess the disruption and business down time. 
3. Assess the resolution timeframe.
4. Prioritise the reaction, considering effort and resources.  

Impact scoring  

Each aspect of the incident is assessed, and a score between 1 and 4 is allocated to it in relation to its business impact and the process followed as mentioned earlier. For example, if the scope of the incident affected more than 50% of customers or systems, the score might be 3, however, if just one customer is affected, the score might be 1. 

There are three different ratings an impact can be scored on: 

• Credibility - The credibility rating relates to any negative PR or other consequences. The greater the consequences, the higher the score
• Operations - The operations rating might be 1 for no work interference, through to interference with core functions of the organisation scoring 4 
• Urgency - The urgency rating relates to the timeframe over which the resolution was required

Resolution of the impact in a short space of time would warrant a low score, whereas, if the incident was ongoing, it would warrant a high score. A score of 1 would be given if the priority to resolve the issue is very low, whereas an incident demanding an immediate and sustained effort using all available resources in the organisation or IRT might score 4. 

NCSC guidance on impact scoring  

The NCSC have created some guidance for you to reference when trying to quantify an impact in your organisation. Here is an overview of that guidance now: 

NCSC Guidance: 

Critical (4) 
 

• Over 80% of staff (or several critical staff/teams) unable to work 
• Critical systems offline with no known resolution 
• High risk to / definite breach of sensitive client or personal data 
• Financial impact of X 
• Severe reputational damage - likely to impact business long term 

High (3) 
 

• 50% of staff unable to work 
• Risk of breach of personal or sensitive data 
• Non-critical systems affected, or critical systems affected with known (quick) resolution 
• Financial impact of X 
• Potential serious reputational damage 

Medium (2) 
 

• 20% of staff unable to work 
• Possible breach of small amounts of non-sensitive data 
• Low risk to reputation 
• Small number of non-critical systems affected with known resolutions 

Low (1) 
 

• Minimal, if any, impact 
• One or two non-sensitive / non-critical machines affected
• <10% of non-critical staff affected temporarily (short term) 

What’s next? 

Now you understand how an incident can be quantified, you can find out how to identify a security incident. The sooner an incident is identified, the lower its impact score might be, so you can see how important this is.