9.2 Identify the Impact of Threats to Critical Assets

Risk broadens the view of threat by considering how threats ultimately affect an organization. In this activity, you create and record narrative descriptions of potential impacts that can result from threats to your critical assets. As you do this, you establish the link among assets, threats, and what is important to your organization (i.e., your business objectives), providing you with a basis on which you can analyze your risk.

Step 1: Review Information

Before you work though the steps in this activity, you need to review information about your critical assets. This is important, because you are building on information from process 4, which you probably completed a while ago. Specifically, we suggest that you look at the following for each critical asset:

• Security requirements

• Threat profiles

• Areas of concern

These data indicate what is important about each critical asset (security requirements) and how they are threatened (threat profile and areas of concern). You need to make sure that this information is fresh in your mind as you move on to step 2.

Step 2: Create Narrative Impact Descriptions

Your objective in this step is to record a narrative description of the potential impact on your organization of threats to your critical assets. Note the difference in the use of the terms "outcome" and "impact." An outcome is the immediate result of a threat; it centers on what happens to an asset. There are four possible threat outcomes: disclosure, modification, loss/destruction, and interruption. The impact, on the other hand, is broader, describing the effect of a threat on an organization's mission and business objectives. Consider the following example.

Someone inside the organization uses network access to deliberately modify the medical records database. This could result in patient death, improper treatment delivered to patients, lawsuits, and additional staff time to correct the records.

In this example the threat outcome is modification. Notice that modification is tied to an asset, namely, the medical records database. Now consider how modification of the medical records database can affect the organization. The potential impact on the organization includes the following: patient death, improper treatment delivered to patients, lawsuits, and additional staff time to correct the records. Again, an outcome is the immediate result of the threat actor and centers on assets, whereas the impact considers the resulting effect on the operations and people in the organization.

We ask you to consider impact in the following areas during this activity:

• Reputation/customer confidence

• Safety/health issues

• Fines/legal penalties

• Financial

• Productivity

These impact areas are contextual and should be tailored to meet the needs of your organization. Before you conduct an evaluation, you should determine which areas of impact to consider. One way to determine unique areas for your organization is to consider its business objectives and make sure that impact areas are linked to your key business objectives. For example, a military organization may add combat readiness as an area of impact.

To conduct step 2, select one of your critical assets. Review the threat profile for that critical asset. Make sure that you note which of the threat outcomes (disclosure, modification, loss/destruction, interruption) are part of the scenarios in the profile. Next, answer the following questions for each outcome that appears in at least one of the scenarios:

• What is the potential impact on the organization's reputation?

• What is the potential impact on customer confidence?

• What is the potential impact on customers' health or safety?

• What is the potential impact on staff members' health or safety?

• What fines or legal penalties could be imposed on the organization?

• What is the potential financial impact on the organization?

• What is the potential impact on the organization's or customers' productivity?

• What other types of impact could occur?

Continue with this activity until you have described the impact in relation to all critical assets. Make sure that you document your results.

Let's looks at our example to see how MedSite's analysis team completed this activity, specifically, how they created impact descriptions for PIDS. The team members reviewed the information that they had recorded for PIDS. They reviewed the threat profile, the security requirements, and areas of concern. (See Appendix A for a summary of this information for PIDS.)

The team members noted that at least one threat resulted in disclosure of PIDS information. Likewise, at least one threat resulted in modification, loss/destruction, and interruption of access to PIDS information. Thus, all threat outcomes were possible. As a result, the team would have to consider impacts in relation to all four outcomes. They discussed the key questions for each outcome and documented the resulting types of impact on MedSite. These are shown in Figure 9-1.

We have just shown you how to begin expanding threats into risks by considering the impact on the organization. Next, we present an approach for setting qualitative risk levels for your organization.