A defined method is used to estimate impact for higher priority cyber risks (for example, comparison to actual events, risk quantification)
Context and Guidance: A defined method to estimate the impact of risks and risk categories (e.g., safety impacts, operational disruption, potential cost of downtime, cost of lost data, and cost of recovery) is beneficial since it provides a common comparison point for risks. This method helps identify and prioritise the most critical risks that could impact operations. Mathematical or statistical methods may be used to determine a value such as the potential cost if a risk is realised.
Related Practices • Input From: Implementing RISK-3a provides input that may be useful for implementing this practice. • Progression: This practice is part of multiple practice progressions. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in the first progression include: RISK-3b, RISK-3c, RISK-4c, RISK-4d. • The practices in the second progression include: RISK-3c, RISK-3d, RISK-3e.