Severity Risk Factors
Severity risk factors are relevant to the estimation of therange and severity of consequences that a risk event may cause to occur.
External Severity Risk Factors
External Severity Risk Factors are risk factors that are outside of your scope of control that may affect the consequences of the risks you manage.
These are stated as questions to ask yourself or your organisation. The ability to estimate or measure these risk factors will vary between organisations.
- How much is the business worth?
- How many customers does the business have?
- What could be the level of fines we must pay?
- How much money will an attacker steal?
- What will be the cost for adverse legal action for negligence or liability?
- What would be the cost of reduced growth?
- What would be the cost of increased regulatory scrutiny?
- How much would customer notification cost?
- How much would customer rectification cost?
- Does our supplier have a documented & practised security incident response procedure?
- Does our supplier have a robust BC/DR capability?
- Does our supplier encrypt our data?
Internal Severity Risk Factors
Internal Severity Risk Factors are risk factors that are within your scope of control and that may affect the consequences of the risks you manage. These are factors that can be subject to an internal control.
- How long does it take us to detect financial crime?
- How long does it take us to detect security incidents from the initial attack stage?
- How long does it take us to resolve security incidents once detected?
- How much does it cost us to resolve security incidents?
- How often do we practice resolving breach scenarios?
- How many data records do we store?
- How long do we store data records for?
- How much money do we hold in our accounts?
- How much money can we access in our customers accounts?
- How many privileged user accounts do we operate?
- How much cyber insurance cover do we have?
- How long does our BC/DR process take to resume and restore normal operations following a crisis?
- Do we encrypt our data?
- How long does it take us to onboard or switch suppliers?