60 2.5 Emergency Incident Assessment
cannot be measured in specific units but can be qualified or described in
terms of high, medium, and low impacts.
Because of the generic nature of this discussion, this book describes only
the qualitative categories: high, medium, and low impact. High impact is
when exercise of the vulnerability may result in the costly loss of major tan-
gible assets or resources; or may significantly violate, harm, or impede an
organization’s mission, reputation, or interest; or may result in human
death or serious injury. Medium impact is when exercise of the vulnerability
may result in the loss of tangible assets or resources; or may violate, harm,
or impede an organization’s mission, reputation, or interest; or may result in
human injury. Finally, low impact is when exercise of the vulnerability may
result in the loss of some tangible assets or resources or may noticeably
affect an organization’s mission, reputation, or interest. In the following sec-
tions, we list some potential emergencies that you should evaluate for busi-
ness disruption as a serious information security incident.
2.5.5.1 Cybercrime
Cybercrime is a major area of information security risk. It includes attacks
by hackers, denial-of-service attacks, virus attacks, hoax virus warnings, and
premeditated internal attacks. All cybercrime attacks can have an immedi-
ate and devastating effect on the organization’s normal business processes.
The average cost of an information security incident has been estimated at
US$30,000, and more than 60% of organizations are reported to experi-
ence one or more incidents every year.
2.5.5.2 Loss of Records or Data
The loss of records or data can be particularly disruptive where poor backup
and recovery procedures result in the need to reinput and recompile the
records. This is normally a slow process and is particularly labor intensive,
which can result in an increase in costs through additional working hours
and a great deal of embarrassment when information is unexpectedly not
available.
2.5.5.3 Disclosure of Sensitive Information
This is a serious information security incident, which can result in severe
embarrassment, financial loss, and even litigation where damage has been
caused to someone’s reputation or financial standing. Further types of seri-
ous disclosure involve secret patent information, plans and strategic direc-