6. Impact

Impact Definition

In cybersecurity, impact refers to the potential magnitude of harm that can result from a threat event, such as unauthorized disclosure, modification, destruction of information, or the loss of availability of an information system.

Impact can affect various stakeholders, including organisational leaders, mission and business owners, information system owners, and individuals or groups relying on the organisation.

Essentially, anyone with an interest in the organisation’s operations and assets could be affected by a threat's consequences.

Impact Assessment

Process for impact determination

Organizations assess impact by defining a process for impact determination, setting assumptions, using specific methods for obtaining impact information, and providing a rationale for their conclusions.

Priorities and values

These assessments are guided by established priorities and values, such as identifying high-value assets and understanding the adverse effects on stakeholders.

Tools to determine impact

Tools like security categorizations, privacy impact assessments, and business impact analyses help determine the organisational impact of threat events.

Immediate & Long term consequences

Impact assessments can consider both immediate effects on mission or business functions and long-term consequences, such as reputational damage. Risk tolerance thresholds are also used to determine if certain impacts are significant enough to warrant further analysis.

(Source: NIST SP 800-30)

Impact Definition​

Impact Assessment​

Process for impact determination​

Priorities and values​

Tools to determine impact​

Immediate & Long term consequences​