A successful exploit by a threat actor or threat source will result in a compromise of one or more of the following information asset components:-
- Confidentiality
- Integrity
- Availability
This compromise will have an business impact. Within the SPF and IAS1 they identify business impact from IL0 (low) to IL6 (high). The business impact is the impact that a compromise has on the operations or efficiency of an organisation, it’s customers or citizens.
Unlike a protective marking (i.e. CONFIDENTIAL) which is concerned with the level of control, handling and management of the asset, the impact level (IL) determines the value of an information asset if compromised and how it can impact the following:
-
Financial loss to an organisation;
- Operational effectiveness of a system/service if compromised;
- Reputational damage to an organisation;
- Stress caused to an individual/citizen;
- International relationships with friendly or allied nations/governments.
There is a one to one relationship between the protective marking and the impact level (but not the other way around) as can be seen below.
- Non Protectively Marked (NPM) / Unclassified = IL0/IL1
- PROTECT = IL2
- RESTRICTED = IL3
- CONFIDENTIAL = IL4
- SECRET = IL5
- TOP SECRET= IL6
IL2, IL3, IL4 are also correlated with CIA values as follows:
- IL2 corresponds to 2-2-4
- IL3 corresponds to 3-3-4
- IL4 corresponds to 4-4-4
