Difference between revisions of "Consequence"

Latest revision as of 13:33, 15 August 2022

The term “consequence” is not well-defined in the literature and confusion arises when compared to the terms "impact", "harm" or "effect". For example, the ISO definition found below is very general and does not distinguish between consequences for critical infrastructure, for people, for the environment, or for the economy. Such distinctions are required for two reasons:

For the CIP domain, consequences for critical infrastructure are of supreme importance, and other consequences may be ignored for certain applications (for example, when assessing the consequences of cascading effects).
For consequence analysis in the meaning of the ECI directive ^[1], assessment of consequences for people, the environment and the economy is needed according to the cross-cutting criteria mentioned there.

So far, we do not have a suggestion of specific terms for both cases. Thus the recommendation for the time being is to always clearly state if “consequence” or “consequence analysis” is being performed for CI alone or for use with the cross-cutting criteria.

Definitions

European Definitions

While the term is not officially defined in the ECI directive ^[1], cross-cutting criteria are mentioned as a metric to assess consequence.

ENISA

Outcome of an event (points to ISO/IEC Guide 73). ^[2]

European Project Definitions

CIPRNet project

The CIPRNet project ^[3] uses the following definition:

Consequence: outcome of an event affecting objectives.

National Definitions

Argentina

Consecuencia: hecho o acontecimiento que resulta de: (a) un suceso de seguridad operacional; (b) una deficiencia de seguridad operacional; o (c) un peligro. ^[4]

Australia

Consequence is the outcome of an event or situation expressed qualitatively or quantitatively. ^[5]

One definition describes consequence in terms of a loss, injury, disadvantage or gain, a second definition defines it as the effects on persons, society, the environment and the economy.

Outcome of an event affecting objectives. ^[6]

Bosnia and Herzegovina

Posledice su negativni efekti katastrofe izraženi u pogledu ljudskih uticaja, ekonomskih i ekoloških uticaja, i političkih/društvenih uticaja. (ISO 31010) ^[7]

Brazil

Consequéncia:
1. Resultado de uma seqüência de eventos acidentais, ou seja, o dano causado às pessoas ou ao meio ambiente, em decorrência de um acidente.
2. Resultado imediato de uma seqüência de eventos acidentais como o fogo, a perda econômica etc., que são os resultados finais. ^[8]

Canada

Consequence is the outcome of an event or situation expressed qualitatively or quantitatively, being a loss, injury or disadvantage.

Consequence est le résultat d’une situation ou d’un évènement, exprimé qualitativement ou quantitativement, qu’il s’agisse d’une perte, d’une lésion ou d’un inconvénient. ^[9]

Conséquence: Mesure des effets prévus d’un accident. (CCPS, 1989a)^[10]

Colombia

Consecuencia: Resultado de un evento que afecta a los objetivos. ^[11]

Czech Republic

Následek: Výsledek události působící na cíle. ^[12]

Consequence is the result of an event which affects the objectives.^[13]

Denmark

Konsekvens beskriver de skader, en hændelse kan medføre på personer, ejendom og miljø. ^[14]

France

Gravité: Quantification des conséquences d’un événement redouté ou d’un risque. ^[15]

Consequences: Quantification of the severity of a risk or feared event. ^[16]

Luxembourg

Conséquence: Effet d’un événement affectant les objectifs. ^[17]

Un événement unique peut engendrer des conséquences multiples.
Une conséquence peut être certaine ou incertaine et dans le cadre de la sécurité de l’information elle est généralement négative.
Les conséquences peuvent être exprimées de façon qualitative ou quantitative.
Des conséquences initiales peuvent déclencher des réactions en chaîne.

Norway

Konsekvenser er virkningene av den uønskede hendelsen på gitte samfunnsverdier. ^[18]

Consequences are the effects of an adverse event on given societal assets. ^[19]

Switzerland

Auswirkung: Die Auswirkungen beschreiben die Gesamtheit aller Folgen aus einem oder mehreren Ereignissen. ^[20]

Auswirkungen können sowohl negativ (Schaden) als auch positiv (Nutzen) sein.

Conséquence: Les conséquences décrivent l’ensemble des effets d’un ou de plusieurs événements. ^[21]

Les conséquences peuvent aussi bien être négatives (dommages) que positives (bénéfices).

Conseguenza: Le conseguenze descrivono l’insieme degli effetti di uno o più eventi. ^[22]

Possono essere negative (danni) o positive (benefici).

United Kingdom

Consequence is impact resulting from the occurrence of a particular hazard or threat, measured in terms of the numbers of lives lost, people injured, the scale of damage to property and the disruption to essential services and commodities. ^[23]

United States

DHS

Consequence is the effect of an event, incident, or occurrence, including the number of deaths, injuries, and other human health impacts along with economic impacts both direct and indirect and other negative outcomes to society (adapted from the 2010 DHS Risk Lexicon ^[24]).

In cybersecurity, the effect of a loss of confidentiality, integrity or availability of information or an information system on an organization's operations, its assets, on individuals, other organizations, or on national interests. ^[25]

NIST

Consequence: Effect (change or non-change), usually associated with an event or condition or with the system and usually allowed, facilitated, caused, prevented, changed, or contributed to by the event, condition, or system. ^[26]

Standard Definition

ISA-62443-*

Consequence is the condition or state that logically or naturally follows from an event. ^[27]

ISO/IEC 27000:2014 and ISO 31000:2009

The outcome of an event affecting objectives. ^[28] ^[29]

The standard notes that (a) an event can lead to a range of consequences, (b) a consequence can be certain or uncertain and in the context of Information Security is usually negative, (c) consequences can be expressed qualitatively or quantitatively and (d) initial consequences can escalate through knock-on effects.

Notes

References

[ECI-1] {Jump up to: 1.0} ^1.1 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.

[ENISAGlos-2] Jump up ↑ ENISA Risk Glossary

[ciprnet-3] Jump up ↑ http://www.ciprnet.eu/

[4] Jump up ↑ Sistema Nacional de Gestión de la Secuidad Operacional (SSP), Argentina, 2016

[MAIMAus-5] Jump up ↑ Australian Emergency Management Glossary, Emergency Management Australia (1998)

[6] Jump up ↑ Australia AS NZS 5050 (2010)

[7] Jump up ↑ RADNA VERZIJA OSOBLJA KOMISIJE: Procjena rizika i mapiranje smernice za upravljanje katastrofama

[8] Jump up ↑ GLOSSÁRIO DE DEFESA CIVIL ESTUDOS DE RISCOS E MEDICINA DE DESASTRES, Ministério da Integração Nacional, Brazil

[Can-9] Jump up ↑ Ontario English-French Emergency Management Glossary of Terms (2011)

[canada-10] Jump up ↑ Guide Analyse de risques d'accidents technologiques majeurs (2002)

[11] Jump up ↑ Glosario Policia Colombia

[12] Jump up ↑ Výkladový slovník kybernetické bezpečnosti (2013)

[13] Jump up ↑ Výkladový slovník kybernetické bezpečnosti (2013)

[14] Jump up ↑ HÅNDBOG I RISIKOBASERET DIMENSIONERING, Beredskabsstyrelsen, Denmark (2004)

[15] Jump up ↑ Méthode de classiﬁcation et mesures principales, ANSSI (2014)

[16] Jump up ↑ Classiﬁcation Method and Key Measures, ANSSI (2014)

[17] Jump up ↑ Glossaire

[18] Jump up ↑ DSB, National Risikobild 2014

[19] Jump up ↑ DSB, National Risk Analysis 2014

[20] Jump up ↑ Glossar der Risikobegriffe, Bundesamt für Bevölkerungsschutz BABS, 29.4.2013

[21] Jump up ↑ Glossaire des risques, Office fédéral de la protection de la population, 29.4.2013

[22] Jump up ↑ Glossario sui rischi, l’Ufficio federale della protezione della popolazione UFPP, 29.4.2013

[23] Jump up ↑ Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)

[DHSLex-24] Jump up ↑ DHS Risk Lexicon 2010 Edition, September 2010

[nicss-25] Jump up ↑ DHS/NICSS Glossary

[26] Jump up ↑ NIST Glossary/ ISO/IEC 15026

[ISA999-27] Jump up ↑ ISA-62443 series

[ISO27000-14-28] Jump up ↑ ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary

[ISO31000-09-29] Jump up ↑ ISO/IEC 31000:2009, Risk management -- Principles and guidelines

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

@@ Line 1: / Line 1: @@
-<big>The term “consequence” is not well-defined in the literature and confusion arises when compared to the terms "[[impact]]", "[[harm]]" or "effect".
+<big>The term “consequence” is not well-defined in the literature and confusion arises when compared to the terms "[[impact]]", "[[harm]]" or "[[effect]]".
 For example, the ISO definition found below is very general and does not distinguish between consequences for [[Critical Infrastructure|critical infrastructure]], for people, for the environment, or for the economy.
 Such distinctions are required for two reasons:
@@ Line 5: / Line 5: @@
 # For consequence analysis in the meaning of the ECI directive <ref name="ECI"> [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.]</ref>, assessment of consequences for people, the environment and the economy is needed according to the [[cross-cutting criteria]] mentioned there.
-So far, we do not have a suggestion of specific terms for both cases. Thus the recommendation for the time being is to always clearly state if “[[consequence]]” or “consequence analysis” is being performed for [[CI]] alone or for use with the [[cross-cutting criteria]].</big><br />
+So far, we do not have a suggestion of specific terms for both cases. Thus the recommendation for the time being is to always clearly state if “[[consequence]]” or “[[consequence analysis]]” is being performed for [[CI]] alone or for use with the [[cross-cutting criteria]].</big><br />
@@ Line 11: / Line 11: @@
 === European Definitions ===
 <big>While the term is not officially defined in the [[ECI]] directive <ref name="ECI"></ref>, [[cross-cutting criteria]] are mentioned as a metric to assess [[consequence]].</big>
+====[[ENISA]]====
+{{definition|Outcome of an [[event]] (points to [[ISO|ISO/IEC Guide 73]]). <ref name="ENISAGlos"> [http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory/glossary ENISA Risk Glossary]</ref>}}<br />
+=== European Project Definitions ===
+==== CIPRNet project ====
+{{quote-ciprnet|Consequence: outcome of an [[event]] affecting objectives. }}
 <!-- === Other International Definitions ===
-Test test test. -->
+ -->
+<br/>
 === National Definitions ===
-==== Australia ====
+==== [[Argentina]] ====
+{{definition|Consecuencia: hecho o acontecimiento que resulta de: (a) un suceso de seguridad operacional; (b) una deficiencia de seguridad operacional; o (c) un peligro.  <ref>[http://www.anac.gov.ar/anac/web/uploads/ssp-sms/manual-del-ssp-argentino.pdf Sistema Nacional de Gestión de la Secuidad Operacional (SSP), Argentina, 2016]</ref>}}<br /><br/>
+==== [[Australia]] ====
 {{definition|Consequence is the outcome of an [[event]] or situation expressed qualitatively or quantitatively. <ref name="MAIMAus">[https://www.em.gov.au/Documents/Manual03-AEMGlossary.PDF Australian Emergency Management Glossary, Emergency Management Australia (1998)]</ref>}}One definition describes consequence in terms of a loss, injury, disadvantage or gain, a second definition defines it as the effects on persons, society, the environment and the economy. <br />
-{{definition|Outcome of an [[event]] affecting objectives. <ref> [http://www.risknz.org.nz/files/3114/0868%2F4596%2F5050-2010.pdf Australia AS NZS 5050 (2010)]</ref>}}<br />
+{{definition|Outcome of an [[event]] affecting objectives. <ref> [http://www.risknz.org.nz/files/3114/0868%2F4596%2F5050-2010.pdf Australia AS NZS 5050 (2010)]</ref>}}<br /><br/>
-==== Canada ====
+==== [[Bosnia and Herzegovina]] ====
-{{definition|Consequence is the outcome of an event or situation expressed qualitatively or quantitatively, being a loss, injury or disadvantage.<br/><br/>Consequence est le résultat d’une situation ou d’un évènement, exprimé qualitativement ou quantitativement, qu’il s’agisse d’une perte, d’une lésion ou d’un inconvénient. <ref name="Can"> [http://www.sse.gov.on.ca/mgs/onterm/Documents/Glossaries/EMO%20Glossary%20EN-FR.htm Ontario English-French Emergency Management Glossary of Terms (2011)]</ref>}}<br /><br />
+{{definition|Posledice su negativni efekti katastrofe izraženi u pogledu ljudskih uticaja, ekonomskih i ekoloških uticaja, i političkih/društvenih uticaja. (ISO 31010)  <ref>[http://www.msb.gov.ba/PDF/EU_SMJERNICE_ZA_PRCJENU_RIZIKA21122015.pdf RADNA VERZIJA OSOBLJA KOMISIJE: Procjena rizika i mapiranje smernice za upravljanje katastrofama]</ref>}}<br/><br/>
-====United Kingdom====
+====[[Brazil]] ====
-{{definition|Consequence is [[impact]] resulting from the occurrence of a particular [[hazard]] or [[threat]], measured in terms of the numbers of lives lost, people injured, the scale of [[damage]] to property and the disruption to essential services and commodities. <ref> [https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/61046/EP_Glossary_amends_18042012_0.pdf Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)]</ref>}}<br />
+{{definition|Consequéncia:<br/>1. Resultado de uma seqüência de eventos acidentais, ou seja, o dano causado às pessoas ou ao meio ambiente, em decorrência de um acidente. <br/>2. Resultado imediato de uma seqüência de eventos acidentais como o fogo, a perda econômica etc., que são os resultados finais. <ref>[http://www.bombeiros.go.gov.br/wp-content/uploads/2012/06/16-Glosssario-de-Defesa-Civil-Estudo-de-Risco-e-Medicina-de-Desastres.pdf GLOSSÁRIO DE DEFESA CIVIL ESTUDOS DE RISCOS E MEDICINA DE DESASTRES, Ministério da Integração Nacional, Brazil]</ref>}}<br /><br/>
+==== [[Canada]] ====
+{{definition|Consequence is the outcome of an event or situation expressed qualitatively or quantitatively, being a loss, injury or disadvantage.<br/><br/>Consequence est le résultat d’une situation ou d’un évènement, exprimé qualitativement ou quantitativement, qu’il s’agisse d’une perte, d’une lésion ou d’un inconvénient. <ref name="Can"> [http://www.sse.gov.on.ca/mgs/onterm/Documents/Glossaries/EMO%20Glossary%20EN-FR.htm Ontario English-French Emergency Management Glossary of Terms (2011)]</ref>}}<br />
+{{definition|Conséquence: [[Measure|Mesure]] des effets prévus d’un [[accident]]. (CCPS, 1989a)<ref name="canada">[http://www.mddelcc.gouv.qc.ca/evaluations/documents/guide-risque-techno.pdf Guide Analyse de risques d'accidents technologiques majeurs (2002)]</ref>}}<br /><br/>
+==== [[Colombia]] ====
+{{definition|Consecuencia: Resultado de un evento que afecta a los objetivos.  <ref>[https://www.policia.gov.co/glosario Glosario Policia Colombia]</ref>}}<br /><br/>
-==== United States ====
+==== [[Czech Republic]] ====
+{{definition| Následek: Výsledek události působící na cíle. <ref>[http://www.govcert.cz/download/nodeid-561  Výkladový slovník kybernetické bezpečnosti (2013)]</ref> <br/><br/> Consequence is the result of an [[event]] which affects the objectives.<ref>[http://www.govcert.cz/download/nodeid-561  Výkladový slovník kybernetické bezpečnosti (2013)]</ref>}}<br/><br/>
+==== [[Denmark]] ====
+{{definition|Konsekvens beskriver de skader, en hændelse kan medføre på personer, ejendom og miljø. <ref>[https://brs.dk/viden/publikationer/Documents/RBDhaandbog.pdf HÅNDBOG I RISIKOBASERET DIMENSIONERING, Beredskabsstyrelsen, Denmark (2004)]</ref>}}<br /><br/>
+==== [[France]] ====
+{{definition|Gravité: Quantification des conséquences d’un événement redouté ou d’un [[Risk|risque]].  <ref>[https://www.ssi.gouv.fr/uploads/2014/01/securite_industrielle_GT_methode_classification-principales_mesures.pdf Méthode de classiﬁcation et mesures principales, ANSSI (2014)]</ref><br/><br/>Consequences: Quantification of the [[severity]] of a [[risk]] or feared [[event]]. <ref>[https://www.ssi.gouv.fr/uploads/2014/01/industrial_security_WG_Classification_Method.pdf Classiﬁcation Method and Key Measures, ANSSI (2014)]</ref>}}<br/><br/>
+==== [[Luxembourg]] ====
+{{definition|Conséquence: Effet d’un événement affectant les objectifs. <ref>[https://cybersecurite.public.lu/fr/glossaire.html Glossaire]</ref>}}Un événement unique peut engendrer des conséquences multiples.<br/>Une conséquence peut être certaine ou incertaine et dans le cadre de la sécurité de l’information elle est généralement négative.<br/>Les conséquences peuvent être exprimées de façon qualitative ou quantitative.<br/>Des conséquences initiales peuvent déclencher des réactions en chaîne.<br /><br/>
+==== [[Norway]] ====
+{{definition|Konsekvenser er virkningene av den uønskede hendelsen på gitte samfunnsverdier. <ref>[https://www.dsb.no/globalassets/dokumenter/rapporter/nrb_2014.pdf DSB, National Risikobild 2014]</ref><br/><br/>Consequences are the effects of an adverse [[event]] on given societal assets. <ref>[http://www.dsbinfo.no/DSBno/2015/Andre/NationalRiskAnalysis2014/ DSB, National Risk Analysis 2014]</ref>}}<br/><br/>
+==== [[Switzerland]]====
+{{definition|Auswirkung: Die Auswirkungen beschreiben die Gesamtheit aller Folgen aus einem oder mehreren [[event|Ereignissen]]. <ref>[http://www.bevoelkerungsschutz.admin.ch/internet/bs/de/home/themen/gefaehrdungen-risiken.parsysrelated1.62085.downloadList.63404.DownloadFile.tmp/20130422glossarde.pdf Glossar der Risikobegriffe, Bundesamt für Bevölkerungsschutz BABS, 29.4.2013]</ref>}}
+Auswirkungen können sowohl negativ (Schaden) als auch positiv (Nutzen) sein.<br/><br/>
+{{definition|Conséquence: Les conséquences décrivent l’ensemble des effets d’un ou de plusieurs [[event|événements]]. <ref>[http://www.bevoelkerungsschutz.admin.ch/internet/bs/fr/home/themen/gefaehrdungen-risiken.parsysrelated1.83210.downloadList.55257.DownloadFile.tmp/20130422glossarfr.pdf Glossaire des risques, Office fédéral de la protection de la population, 29.4.2013]</ref>}} Les conséquences peuvent aussi bien être négatives (dommages) que positives (bénéfices).<br/><br/>
+{{definition|Conseguenza: Le conseguenze descrivono l’insieme degli effetti di uno o più [[event|eventi]]. <ref>[http://www.bevoelkerungsschutz.admin.ch/internet/bs/it/home/themen/gefaehrdungen-risiken.parsysrelated1.49227.downloadList.52339.DownloadFile.tmp/20130422glossarit.pdf Glossario sui rischi, l’Ufficio federale della protezione della popolazione UFPP, 29.4.2013]</ref>}}
+Possono essere negative (danni) o positive (benefici).
+<br/><br/>
+====[[United Kingdom]]====
+{{definition|Consequence is [[impact]] resulting from the occurrence of a particular [[hazard]] or [[threat]], measured in terms of the numbers of lives lost, people injured, the scale of [[damage]] to property and the disruption to essential services and commodities. <ref> [https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/61046/EP_Glossary_amends_18042012_0.pdf Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)]</ref>}}<br /><br/>
+==== [[United States]] ====
+===== [[DHS]] =====
 {{definition|Consequence is the effect of an [[event]], [[incident]], or occurrence, including the number of deaths, injuries, and other human health impacts along with economic impacts both direct and indirect and other negative outcomes to society (adapted from the 2010 DHS Risk Lexicon <ref name="DHSLex"> [http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-2010.pdf DHS Risk Lexicon 2010 Edition, September 2010]</ref>).}}
+<br/>
+{{definition|In cybersecurity, the effect of a loss of confidentiality, integrity or availability of information or an information system on an organization's operations, its assets, on individuals, other organizations, or on national interests. <ref name=nicss>[https://niccs.us-cert.gov/glossary DHS/NICSS Glossary]</ref>}}<br/>
+===== [[NIST]]=====
+{{definition|Consequence: Effect (change or non-change), usually associated with an event or condition or with the system and usually allowed, facilitated, caused, prevented, changed, or contributed to by the event, condition, or system. <ref>[https://csrc.nist.gov/glossary/term/Operational-technology NIST Glossary/ ISO/IEC 15026]</ref>}}<br/><br/>
 ===Standard Definition===
-==== ISO/IEC 27000:2014 and ISO 31000:2009 ====
+==== [[ISA|ISA-62443-*]] ====
+{{definition|Consequence is the condition or state that logically or naturally follows from an [[event]]. <ref name='ISA999'>ISA-62443 series</ref>}}<br/><br/>
+==== [[ISO|ISO/IEC 27000:2014 and ISO 31000:2009]] ====
 {{definition|The outcome of an event affecting objectives. <ref name="ISO27000-14"> [http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=63411 ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary]</ref> <ref name="ISO31000-09"> [http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 ISO/IEC 31000:2009, Risk management -- Principles and guidelines]</ref> }}
 <big>The standard notes that (a) an [[event]] can lead to a range of consequences, (b) a consequence can be certain or uncertain and in the context of [[Information Security]] is usually negative, (c) consequences can be expressed qualitatively or quantitatively and (d) initial consequences can escalate through knock-on effects.</big><br />
 ==See also==
-*[[Cross-cutting criteria]]
+*[[Consequence Analysis]]
+*[[Cross-cutting Criteria]]
+*[[Effect]]
+*[[Impact]]
 *[[Human Consequence]]
-*[[Consequence analysis]]
+*[[Severity]]
 ==Notes==
-<references />
-<!--
 ==References==
-* Test reference. -->
+<references />
 [[Category:Consequence]]
 [[Category:Risk]]
-{{#set:defined by=Australia|defined by=Canada|defined by=United Kingdom|defined by=United States|defined by=ISO|defined by=Ontario}}
+{{#set:defined by=ENISA|defined by=Argentina|defined by=Australia|defined by=Bosnia and Herzegovina|defined by=Brazil|defined by=Canada|defined by=Colombia|defined by=Czech Republic|defined by=Denmark|defined by=France|defined by=Luxembourg|defined by=Norway|defined by=Switzerland|defined by=United Kingdom|defined by=United States|defined by=NIST|defined by=ISA|defined by=ISO|defined by=Ontario}}
+[[Category:CIPRNet-Glossary]]
+{{#set:defined by=EU project}}
+{{#set: Showmainpage=Yes}}