Overarching: Content: What content does the enterprise have and what are the consequences of protection failures?

Options:

Basis:

Different mechanisms have different implications in different situations in terms of the consequences of protection failures.

Typical consequences identified include:

• LOW: Wasted time and effort (inefficiency) and Losses reasonably covered by non-cyber insurance (e.g., shrinkage, minor accidents and injuries).
• MEDIUM: Substantial negative publicity, Acts viewed as gross negligence, Substantial enterprise value reduction, Serious injury, Limited environmental damage or societal harm.
• HIGH: Loss of life, Serious environmental or societal damage, Enterprise Collapse, Other dire consequences

For example, a temperature control system might have LOW consequences in a small automated photographic developing facility, a MEDIUM consequence in a food production facility (where redundant tests identify a "bad batch"), and HIGH consequences in a chemical plant where its failure causes a major explosion.

Typically, consequences resulting from information protection failures are associated with a loss of integrity (I), availability (A), confidentiality (C), control over use (U), accountability (T), transparency (R), and custody (S) in an information system, with the ultimate result leading to real-world effects through the impact of the failures on the control system.