What is Impact Assessment?
Impact assessment is a critical step in cybersecurity reporting. It determines how a discovered vulnerability could affect an organization’s assets, operations, reputation, or data. A well-structured assessment helps stakeholders understand the real-world consequences of an exploit and prioritize remediation efforts accordingly.
🧠 Why is it Important?
- Provides business context for technical issues
- Supports prioritization and risk management
- Helps justify remediation actions and budgets
- Aligns with industry standards like CVSS and OWASP
⚙️ Methodologies Used
1. CVSS (Common Vulnerability Scoring System)
The CVSS is a standardized scoring system that evaluates vulnerabilities based on several metrics:
- Base Score: Exploitability and impact (confidentiality, integrity, availability)
- Temporal Score: Factors like remediation level and exploit maturity
- Environmental Score: Customizable for the target environment
2. DREAD Model (Legacy)
Though less commonly used today, DREAD evaluates:
- Damage potential
- Reproducibility
- Exploitability
- Affected users
- Discoverability
3. Business Impact Analysis (BIA)
Focuses on organizational context. A vulnerability is rated based on:
- Data exposure (PII, credentials, financial records)
- Operational disruption
- Brand or reputation impact
- Legal or regulatory consequences
📌 How to Perform an Impact Assessment
Step 1: Identify the Asset
What system, data, or application is affected? Who uses it, and how critical is it?
Step 2: Determine the Exploitability
Is the vulnerability exploitable remotely or locally? Is authentication required?
Step 3: Analyze the Potential Impact
Could an attacker gain unauthorized access, escalate privileges, or disrupt services?
Step 4: Rate the Severity
Use a scoring system (e.g., CVSS) or custom criticality scale (Low / Medium / High / Critical).
Step 5: Provide Business Context
Explain the potential business damage in clear, non-technical language.
🔍 Real-World Example
Vulnerability: SQL Injection on login endpoint
Asset: Customer login page of e-commerce platform
Impact: An attacker could extract customer records including names, emails, and payment tokens.
Assessment:
- CVSS Score: 9.1 (Critical)
- Business Impact: Major data breach and GDPR non-compliance
- Severity: Critical
💡 Practical Tips
- Always explain impact in business terms for non-technical stakeholders
- Use CVSS calculators (CVSS v3.1 Calculator)
- Cross-reference with OWASP Risk Rating methodology for web issues
- Reassess the impact if the scope or configuration changes