Vulnerability Impact

Impact can be frustrating to work with because a variety of undesirable outcomes may or may not happen. Unless we’re forced to translate everything into dollar values, we can work with whatever quantities we’re concerned about.

Example Scenarios

Let’s assume the following scenario:

Scenario: An SQL injection is discovered in our product.

These scenarios assume that an SQL injection has already been exploited.

Users Compromised: Sensitive data for more than 100 customers will be impacted.
Downtime: Downtime for incident response will exceed 1 hour.
Engineering Response Hours: More than 8 engineering hours will be spent on response.
Growth Accounting: A reduction from projected new, expanded, or retained by more than 1%.
Headlines: One or more national newspaper headlines.

Example Intervals

Another step up is to elicit a credible interval. For instance, a min-and-max range (5/95% percentile) where we believe the true value will lane.

Scenario: A session secret leaked has leaked to an adversary.

Here’s an example impact assessment with intervals that assume the secret has already leaked.

75% Interval forecasts

Users Compromised: 0-1.5M Customers (75% Interval)
Downtime: 0-9 days (75% Interval)
Engineering Response Hours: 40-500 hours (75% Interval)
Growth Accounting: 1k-100k Churn this month (75% Interval)
Headlines: 0-5 Headlines (75% Interval)

It’s possible that these can all be decomposed further into a uniform dollar amount. However, the abstractions themselves are likely to be informative enough for decision making and the decomposition work will require time and effort.

Vulnerability Impact

Example Scenarios #

Example Intervals #

75% Interval forecasts #

Example Scenarios

Example Intervals

75% Interval forecasts