ASSURED

Impact and likelihood

Evaluating impact

Impact is β€œif this is real, how bad is it?” Four dimensions cover the typical impact picture. Each can be assessed independently; the combined view is what feeds the priority decision.

01

πŸ“ Data sensitivity

Value and sensitivity of data involved (personal, financial, health). Exposure can lead to identity theft, fraud, legal consequences. Different categories (public β†’ restricted) carry different risk weights when compromised. PII, PHI, payment card data, IP, and authentication credentials sit at the top tier.

Volume also matters. A breach of thousands of customer records is a different scale from a single record, even at the same classification.

02

βš™οΈ Operational disruption

How the event affects the organization’s ability to function. Direct availability issues, productivity losses, customer-facing service disruption. The criticality of affected systems to core business functions drives this.

Recovery time objectives (RTO) and recovery point objectives (RPO) anchor the operational evaluation. Threatening to exceed these thresholds raises priority materially.

03

πŸ“‹ Regulatory & compliance

Industry and geography-specific legal obligations. GDPR, HIPAA, PCI DSS, SOX each set notification timelines and define what constitutes a reportable incident. Events triggering reporting requirements typically represent elevated risk.

Different regulatory regimes have different thresholds for materiality and different notification clocks. Scope identified which apply; Risk decides whether the technical evidence meets the threshold.

04

πŸͺž Reputational

How the event affects stakeholder perceptions if it became public. Customer trust, partner relationships, investor confidence, market positioning. Reputational damage often outlasts direct operational impact and is harder to quantify and remediate.

Factors include visibility of affected systems, data sensitivity, the organization’s existing public profile, and whether the incident suggests negligence vs. sophisticated targeting.

Evaluating likelihood

Likelihood is β€œhow confident are we that this finding is real, and how likely is it to continue?” The dimension reflects evidence strength, attacker capability, and environmental resilience.

01

🎭 Threat actor sophistication

Skill level and resources behind the activity. An attack linked to an APT group is more targeted and harder to mitigate than an opportunistic attempt by a commodity actor. Custom tooling, multi-stage operations, and infrastructure investment raise the sophistication score.

02

πŸ”“ Exploitability

Whether the attack targets known, easily exploitable vulnerabilities or requires advanced techniques. Public exploits, low complexity, and broad applicability raise likelihood of success. Compensating controls and patch status temper it.

03

πŸ“œ Historical incident frequency

Has the organization experienced similar incidents? Recurrence often signals persistent vulnerabilities or weaknesses. Frequency of past incidents is the strongest predictor of future ones in the same category.

04

πŸ›‘οΈ Security control coverage

Effectiveness of firewalls, IDS, endpoint protection, identity controls. Gaps increase the chance of successful compromise; layered, well-maintained controls reduce it. The current state of compensating controls modifies the raw exploitability score.

Likelihood indicators at a glance

FactorLow likelihoodHigh likelihood
Threat actorOpportunistic, untargeted, limited resourcesTargeted, persistent, well-resourced
ExploitabilityComplex exploitation, requires privileged accessSimple exploitation, public exploits available
Security controlsMultiple overlapping controls, well-maintainedLimited or outdated controls, known gaps
Historical patternsNo similar past incidents, uncommon vectorRecurring incidents, active campaigns

Producing the verdict

The Risk output combines the two dimensions into a defensible priority. The verdict should include:

πŸ“Š Impact score

High / medium / low across the four impact dimensions, with a one-sentence rationale per dimension. The combined impact is the floor of the priority decision.

🎯 Likelihood score

High / medium / low based on evidence quality, sophistication, exploitability, and control coverage. Confidence in the evidence is part of this score.

🚦 Combined priority

From the triage matrix. Drives escalation timing and resource allocation. Not a number; a defended judgment with named inputs.

❓ Open questions

What the analyst could not resolve, and what new evidence would change the verdict. This is what makes the verdict defensible later.

Next up

The value of investigating a false-positive

Read false-positive