Difference between revisions of "Consequence"

From CIPedia
Jump to navigation Jump to search
(Definitions)
Line 9: Line 9:
 
==Definitions==
 
==Definitions==
 
=== European Definitions ===
 
=== European Definitions ===
<big>While the term is not officially defined in the ECI directive <ref name="ECI"></ref>, [[cross-cutting criteria]] are mentioned as a metric to assess consequence.</big>
+
<big>While the term is not officially defined in the [[ECI]] directive <ref name="ECI"></ref>, [[cross-cutting criteria]] are mentioned as a metric to assess consequence.</big>
  
 
<!-- === Other International Definitions ===
 
<!-- === Other International Definitions ===

Revision as of 10:18, 17 June 2014

The term “consequence” is not well-defined in the literature and confusion arises when compared to the terms "impact", "harm" or "effect". For example, the ISO definition found below is very general and does not distinguish between consequences for critical infrastructure, for people, for the environment, or for the economy. Such distinctions are required for two reasons:

  1. For the CIP domain, consequences for critical infrastructure are of supreme importance, and other consequences may be ignored for certain applications (for example, when assessing the consequences of cascading effects).
  2. For consequence analysis in the meaning of the ECI directive [1], assessment of consequences for people, the environment and the economy is needed according to the [[cross-cutting criteria] mentioned there.

So far, we do not have a suggestion of specific terms for both cases. Thus the recommendation for the time being is to always clearly state if “consequence” or “consequence analysis” is being performed for CI alone or for use with the cross-cutting criteria.

Definitions

European Definitions

While the term is not officially defined in the ECI directive [1], cross-cutting criteria are mentioned as a metric to assess consequence.


National Definitions

US Definition

The effect of an event, incident, or occurrence, including the number of deaths, injuries, and other human health impacts along with economic impacts both direct and indirect and other negative outcomes to society (adapted from the 2010 DHS Risk Lexicon [2]).

Standard Definition

ISO/IEC27000:2014

The outcome of an event affecting objectives [3].

The standard notes that (a) an event can lead to a range of consequences, (b) a consequence can be certain or uncertain and in the context of information security is usually negative, (c) consequences can be expressed qualitatively or quantitatively and (d) initial consequences can escalate through knock-on effects.

See also

Notes

  1. 1.0 1.1 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  2. DHS Risk Lexicon 2010 Edition, September 2010
  3. ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
Retrieved from "https://websites.fraunhofer.de/CIPedia/index.php?title=Consequence&oldid=922"