Difference between revisions of "Consequence"

From CIPedia
Jump to navigation Jump to search
m (Switzerland)
Line 62: Line 62:
{{#set:defined by=ENISA|defined by=Australia|defined by=Canada|definesd by=Czech Republic|defined by=Switzerland|defined by=United Kingdom|defined by=United States|defined by=ISO|defined by=Ontario}}
{{#set:defined by=ENISA|defined by=Australia|defined by=Canada|definesd by=Czech Republic|defined by=Switzerland|defined by=United Kingdom|defined by=United States|defined by=ISO|defined by=Ontario}}
{{#set:defined by=EU project}}

Revision as of 17:37, 5 August 2016

The term “consequence” is not well-defined in the literature and confusion arises when compared to the terms "impact", "harm" or "effect". For example, the ISO definition found below is very general and does not distinguish between consequences for critical infrastructure, for people, for the environment, or for the economy. Such distinctions are required for two reasons:

  1. For the CIP domain, consequences for critical infrastructure are of supreme importance, and other consequences may be ignored for certain applications (for example, when assessing the consequences of cascading effects).
  2. For consequence analysis in the meaning of the ECI directive [1], assessment of consequences for people, the environment and the economy is needed according to the cross-cutting criteria mentioned there.

So far, we do not have a suggestion of specific terms for both cases. Thus the recommendation for the time being is to always clearly state if “consequence” or “consequence analysis” is being performed for CI alone or for use with the cross-cutting criteria.


European Definitions

While the term is not officially defined in the ECI directive [1], cross-cutting criteria are mentioned as a metric to assess consequence.


Outcome of an event (points to ISO/IEC Guide 73). [2]

National Definitions


Consequence is the outcome of an event or situation expressed qualitatively or quantitatively. [3]

One definition describes consequence in terms of a loss, injury, disadvantage or gain, a second definition defines it as the effects on persons, society, the environment and the economy.

Outcome of an event affecting objectives. [4]


Consequence is the outcome of an event or situation expressed qualitatively or quantitatively, being a loss, injury or disadvantage.

Consequence est le résultat d’une situation ou d’un évènement, exprimé qualitativement ou quantitativement, qu’il s’agisse d’une perte, d’une lésion ou d’un inconvénient. [5]

Czech Republic

Následek: Výsledek události působící na cíle. [6]

Consequence is the result of an event which affects the objectives.[7]


Auswirkung: Die Auswirkungen beschreiben die Gesamtheit aller Folgen aus einem oder mehreren Ereignissen. [8]

Auswirkungen können sowohl negativ (Schaden) als auch positiv (Nutzen) sein.

Conséquence: Les conséquences décrivent l’ensemble des effets d’un ou de plusieurs événements. [9]

Les conséquences peuvent aussi bien être négatives (dommages) que positives (bénéfices).

Conseguenza: Le conseguenze descrivono l’insieme degli effetti di uno o più eventi. [10]

Possono essere negative (danni) o positive (benefici).

United Kingdom

Consequence is impact resulting from the occurrence of a particular hazard or threat, measured in terms of the numbers of lives lost, people injured, the scale of damage to property and the disruption to essential services and commodities. [11]

United States

Consequence is the effect of an event, incident, or occurrence, including the number of deaths, injuries, and other human health impacts along with economic impacts both direct and indirect and other negative outcomes to society (adapted from the 2010 DHS Risk Lexicon [12]).

Standard Definition

ISO/IEC 27000:2014 and ISO 31000:2009

The outcome of an event affecting objectives. [13] [14]

The standard notes that (a) an event can lead to a range of consequences, (b) a consequence can be certain or uncertain and in the context of Information Security is usually negative, (c) consequences can be expressed qualitatively or quantitatively and (d) initial consequences can escalate through knock-on effects.

See also
