Call us at 507.319.5206 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Follow us on LinkedIn and Twitter

How to Estimate the Business Impact of a Breach

Before you can advise management how much time and money you should spend on securing information assets, you should know what information assets you need to protect and how much they are worth to your company.

If your organization doesn’t have this information, you can quickly estimate the value and risk for each asset using a qualitative approach.

A qualitative approach means that you focus on the general business impact of a breach on each information asset for each of the following information security attributes:

  1. Confidentiality
  2. Integrity
  3. Availability

That is, each asset will have three business impact values; one for confidentiality, one for integrity, and one for availability.

Defining High, Medium and Low Impact

Each impact assessment is done in terms of high, medium, and low.

For confidentiality, I generally use the following assumptions:

  • Low impact = negligible business impact.
  • Medium impact = the company will incur significant impact to revenues, regulatory fines, and loss of reputation lasting between a few months and one year.  The impacts will be significant but will not cause the company to go out of business.
  • High impact = significant loss of revenue, high level of regulatory fines, loss of reputation to the extent that the existence of the company may be in doubt.

For integrity, I usually assume:

  • Low impact = recovery will be completed within a few days of discovery; negligible impact on company revenues.
  • Medium impact = recovery may take days to several weeks, company may have to restate government mandated reports, significant impact to company reputation and revenues.
  • High impact = recover may take months to years, impact is such that existence of the company may be in doubt.

For availability, I generally assume:

  • Low impact = worst case is that it will take a day or less to recover the asset, with little or no impact to company revenues.
  • Medium impact = it may take between one day and several weeks to recover the asset. Company revenues will be significantly impacted for a year or more.
  • High impact = unavailable for more than several weeks. The ability of the company to recover the asset or to remain in business because of the incident is in question.

The time frames used are not terribly significant. There are no right or wrong answers. Choose the timeframes that make sense for your individual organization.

Assign an Impact Level to Each Information Asset

For each asset, compare the impact levels for all three security attributes. Assign the highest impact level as that asset’s business impact value.

Defining the boundaries for each information asset is very subjective.  Consider, for example, an external e-commerce Web server that doesn’t store any information locally.  You could define the information asset as any of the following:

  • just the server
  • just the e-commerce application
  • both
  • both plus the DMZ firewall

The key is to  define the information assets such that they represent all the pieces involved in a specific business or IT process whenever possible. Defining the information asset too broadly can distort the importance of sub-components. Defining the information asset boundary too narrowly results in redundant efforts.

Defining the Likelihood of a Breach

For each information asset, you also need to estimate the likelihood of a breach occurring.

With the qualitative approach, you rank the likelihood in terms of high, medium, and low probability.  The quantitative approach attempts to estimate a “single-year loss expectancy” probability. The qualitative approach isn’t any more objective, but takes less time to estimate.

The Magic Matrix

Now you can create a matrix of information assets and impact and probability, like this:

    Information Asset Description



    e-Commerce application



    Payroll application



    DMZ Firewall/router



    Internal web server



    Internal production server




This matrix gives you an idea of where to focus your resources.  Your management will appreciate how easily they can ascertain the most critical risks to your business using this chart.

The traditional way to measure the value of your information resources employs a quantitative approach. You estimate the value of each information resource, the probability of each resource being attacked in a single year, and the cost of a successful attack of each resource to your organization.  This approach results in a dollar amount for each resource. It represents the maximum amount you should spend to protect a specific information asset.

The traditional approach can result in more accurate numbers; however, the results are only as accurate as each estimate.  In other words, the result is still subjective. In addition, it takes a lot longer to ensure the estimates you choose are as accurate as possible.

Efficient, Meaningful Security Data for Management

When it comes to estimating the business impact of a security breach on your organization, I recommend starting with the qualitative approach outlined in this post. It provides usable results faster, and you always have the option of later applying quantitative measures to your key assets.

This is just one example of how my TeamSecurity service can help your top management start to think about information security as a business problem. If your IT organization needs help engaging management as active leaders in your security process, give me a call.


This entry was posted in Info Security Mgmt, Information Security, Security Breach and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>