The impact that an organization may experience is the level of disruption that the organization expects because of the following:

• Unauthorized modification of information
• Theft of information
• Unauthorized destruction of information
• Loss of information system availability

This loss can be experienced throughout the organization as a whole, or can be directed at a specific business unit. It is important to make a careful assessment of business impact as things may not be as they seem if you rush through the process. An impact to the entire organization may not cause as large of an impact compared to something that happens within a specific business unit.

As an example, the organization may be able to reasonably tolerate a loss of availability of the corporate network due to contingency plans that are in place, even though it affects the entire organization. However, the loss of a single file that contains highly valuable intellectual property could cause an organization to lose business and could lead to the organization's eventual closure.

As with likelihood, we must define how we will measure impact. As with the previous example of likelihood, I recommend the use of three categories (low, medium, and high)

• High: The event is expected to have multiple, severe or catastrophic adverse effects on organizational operations, and/or assets
• Medium: The event is expected to have a serious adverse effect on organizational operations, and/or assets
• Low: The event is expected to have a limited adverse effect on organizational operations, and/or assets

Potential organizational impacts include the following:

• Financial loss
• Harm to individuals
• Damage to organizational assets
• Loss of operating capability