Consequence
The term “consequence” is not well-defined in the literature and confusion arises when compared to the terms "impact", "harm" or "effect". For example, the ISO definition found below is very general and does not distinguish between consequences for critical infrastructure, for people, for the environment, or for the economy. Such distinctions are required for two reasons:
- For the CIP domain, consequences for critical infrastructure are of supreme importance, and other consequences may be ignored for certain applications (for example, when assessing the consequences of cascading effects).
- For consequence analysis in the meaning of the ECI directive [1], assessment of consequences for people, the environment and the economy is needed according to the cross-cutting criteria mentioned there.
So far, we do not have a suggestion of specific terms for both cases. Thus the recommendation for the time being is to always clearly state if “consequence” or “consequence analysis” is being performed for CI alone or for use with the cross-cutting criteria.
Contents
Definitions
European Definitions
While the term is not officially defined in the ECI directive [1], cross-cutting criteria are mentioned as a metric to assess consequence.
ENISA
European Project Definitions
CIPRNet project
The CIPRNet project [3] uses the following definition:
National Definitions
Argentina
Australia
One definition describes consequence in terms of a loss, injury, disadvantage or gain, a second definition defines it as the effects on persons, society, the environment and the economy.
Bosnia and Herzegovina
Brazil
1. Resultado de uma seqüência de eventos acidentais, ou seja, o dano causado às pessoas ou ao meio ambiente, em decorrência de um acidente.
2. Resultado imediato de uma seqüência de eventos acidentais como o fogo, a perda econômica etc., que são os resultados finais. [8]
Canada
Consequence est le résultat d’une situation ou d’un évènement, exprimé qualitativement ou quantitativement, qu’il s’agisse d’une perte, d’une lésion ou d’un inconvénient. [9]
Colombia
Czech Republic
Consequence is the result of an event which affects the objectives.[13]
Denmark
France
Consequences: Quantification of the severity of a risk or feared event. [16]
Luxembourg
Un événement unique peut engendrer des conséquences multiples.
Une conséquence peut être certaine ou incertaine et dans le cadre de la sécurité de l’information elle est généralement négative.
Les conséquences peuvent être exprimées de façon qualitative ou quantitative.
Des conséquences initiales peuvent déclencher des réactions en chaîne.
Norway
Consequences are the effects of an adverse event on given societal assets. [19]
Switzerland
Auswirkungen können sowohl negativ (Schaden) als auch positiv (Nutzen) sein.
Les conséquences peuvent aussi bien être négatives (dommages) que positives (bénéfices).
Possono essere negative (danni) o positive (benefici).
United Kingdom
United States
DHS
NIST
Standard Definition
ISA-62443-*
ISO/IEC 27000:2014 and ISO 31000:2009
The standard notes that (a) an event can lead to a range of consequences, (b) a consequence can be certain or uncertain and in the context of Information Security is usually negative, (c) consequences can be expressed qualitatively or quantitatively and (d) initial consequences can escalate through knock-on effects.
See also
Notes
References
- ↑ Jump up to: 1.0 1.1 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
- Jump up ↑ ENISA Risk Glossary
- Jump up ↑ http://www.ciprnet.eu/
- Jump up ↑ Sistema Nacional de Gestión de la Secuidad Operacional (SSP), Argentina, 2016
- Jump up ↑ Australian Emergency Management Glossary, Emergency Management Australia (1998)
- Jump up ↑ Australia AS NZS 5050 (2010)
- Jump up ↑ RADNA VERZIJA OSOBLJA KOMISIJE: Procjena rizika i mapiranje smernice za upravljanje katastrofama
- Jump up ↑ GLOSSÁRIO DE DEFESA CIVIL ESTUDOS DE RISCOS E MEDICINA DE DESASTRES, Ministério da Integração Nacional, Brazil
- Jump up ↑ Ontario English-French Emergency Management Glossary of Terms (2011)
- Jump up ↑ Guide Analyse de risques d'accidents technologiques majeurs (2002)
- Jump up ↑ Glosario Policia Colombia
- Jump up ↑ Výkladový slovník kybernetické bezpečnosti (2013)
- Jump up ↑ Výkladový slovník kybernetické bezpečnosti (2013)
- Jump up ↑ HÅNDBOG I RISIKOBASERET DIMENSIONERING, Beredskabsstyrelsen, Denmark (2004)
- Jump up ↑ Méthode de classification et mesures principales, ANSSI (2014)
- Jump up ↑ Classification Method and Key Measures, ANSSI (2014)
- Jump up ↑ Glossaire
- Jump up ↑ DSB, National Risikobild 2014
- Jump up ↑ DSB, National Risk Analysis 2014
- Jump up ↑ Glossar der Risikobegriffe, Bundesamt für Bevölkerungsschutz BABS, 29.4.2013
- Jump up ↑ Glossaire des risques, Office fédéral de la protection de la population, 29.4.2013
- Jump up ↑ Glossario sui rischi, l’Ufficio federale della protezione della popolazione UFPP, 29.4.2013
- Jump up ↑ Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)
- Jump up ↑ DHS Risk Lexicon 2010 Edition, September 2010
- Jump up ↑ DHS/NICSS Glossary
- Jump up ↑ NIST Glossary/ ISO/IEC 15026
- Jump up ↑ ISA-62443 series
- Jump up ↑ ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
- Jump up ↑ ISO/IEC 31000:2009, Risk management -- Principles and guidelines