editione1.0.0
Updated October 9, 2023Impact is how we measure the effect of exploiting a flaw in our security. It helps us understand what will happen; what systems, processes, and people are involved; and the effect this exploitation may have on our wider organization.
In security, we often start examining impact by looking at the effect on the confidentiality, integrity, and availability of operations, systems, or services. These effects can be on a system-by-system level or on an organization-wide level.
Let’s get familiar with each of these impacts.
Definition Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.*
Definition A confidentiality agreement is a system of rules controlling who is authorized to access or interact with our data or systems.
Imagine you’re in an office; we’re going to explore the difference between an implicit and an explicit confidentiality requirement.
So what would you do? Who can you tell the secret to? How long do you need to keep this information secret for? And in what circumstances can you share it with other people?
Some of you will decide that, well, it’s a secret, so it’s confidential and you will keep it this way forever. Nobody needs to know that you ever knew this information. Some of you will listen to the noise in the office, and if it feels like other people are already talking about it, then you’ll start to loosen up your controls on your confidentiality. Some of you won’t share it at all in the office, but might go home and tell a loved one what you’ve heard.
Definition An implicit confidentiality agreement, like the one in our scenario, is when we have expected or assumed rules. They are dynamically assessed by people and they vary from person to person. So in our office environment, this is how we end up with gossip that everyone knows, but everyone pretends that it’s a secret.
Definition In security, we prefer explicit confidentiality agreements. These are objective statements or rules that are defined or documented and can often be checked programmatically. It’s yes or no, good or bad, pass or fail.
Aim to make explicit confidentiality rules for your organization so that you can measure the impact of incidents and actions.
Integrity is interesting. We’re used to talking about integrity when it comes to people. For example, this person has really good integrity. I can trust them. Their character is good. However, that’s not the sort of integrity we’re talking about here. We’re talking about the integrity of the data in our systems and whether it can be trusted.
Definition Integrity (or data integrity) in a system refers to maintaining the accuracy and completeness of data over its entire lifecycle. Integrity requires protection of system data from intentional or accidental unauthorized changes.
The clearest example of systems that require good integrity are banks. For example, if we have some incorrect data and that gets into the database controlling our interest rates, that interest rate can then affect our home loans, our credit cards, or our savings. An incorrect interest rate affects whether people are earning more or less money on the pennies that they’ve squirreled away for a rainy day.
It’s very important that we understand the integrity of our systems because of the significant impact of compromises to data integrity. We don’t want to have to undo our decisions later, as that’s very expensive for our organizations.
Definition Availability in our systems means ensuring that the systems remain open for business as and when they are required to be, and that they remain accessible for all users.
Even as late as 15 years ago, availability in many of our systems revolved around standard operating hours for a business, such as 9 a.m. to 5 p.m. in office environments.
We now live in a time where availability is expected to be far broader than this, with many online operations having customer service 24/7 or at times they would never expect to see physical traffic from a person.
Security is about balance. It cannot come at the cost of availability.
Availability is incredibly valuable to our organizations. This means we can’t simply put in a security control to improve the safety of our data and our systems if it means the systems cannot be accessed anymore. A secure system allows people to use it 24 hours a day, seven days a week if that’s what they need, and it allows them to do what they need to do safely and securely. And that’s a difficult balance to achieve indeed.
While confidentiality, integrity, and availability are all important parts of how we examine the impact of a security event or risk, there is one last step we need to take. We need to translate these systems, or process-level impacts, into the overall effect that this event will have on our organization, data, or customers. This is a less technical, more business-focused assessment that is often used to communicate risk to senior leaders and directors. You should consider the following factors.
Loss of revenue. Your organization makes less money.
Increased operating costs. It costs more to keep your business operating than it did before, which will impact its decisions about hiring and buying new things.