Skip to level definitions Skip to scores

A Standard Level represents a formalized and concise measure for risk, risk impact, probability indicators, mitigation recommendations and control scores.

The goal of this document is to ensure consistency, coherence between security documents which measure risk, impact or scores security controls.

Each level is documented with the following information:

  • Level color coding (and name / name schemes).
  • Level expectations:
    • Attention
    • Impact
    • Effort
    • Risk acceptance (and whom should accept)
    • Timeframe for resolution or SLA/SLO (Service Level Agreement/Objective)
    • Any of your organization customizations (mappings to other frameworks, etc.)
  • Justification of impacts in terms of it affects:
    • Reputation (includes legal)
    • Productivity
    • Finances (includes loss due to productivity loss, e.g. 10 team members * "100K USD" / 365 = loss per day, for 10 team members)
    • Competitive Advantage

The risk levels are qualitative risk buckets, with clearly defined quantitative ranges where applicable. They are generally used to display risk, risk impact, risk probability, or importance. The scores are used to score security preventive or detection controls.

When implementing these levels, you will want to customize them for your own risk tolerance. For example, how much financial, reputation, etc. damage maps to which level. To make this easier, the values to changes are underlined.

This is important: When using the levels for assessing risk impact or probability, it is very strongly recommended to justify the level by providing your own justification of impacts with threat scenarios. When unsure which level to choose, it can be helpful to think in terms of “Why Not Higher” and “Why Not Lower”, i.e. try to justify at a lower or high level and see if it makes sense. Pick the closest.

Levels definitions

The risk levels also represent a simplified ISO 31000 equivalent (and are non-compliant with ISO 31000.


MAXIMUM Color code: #d04437

  • Attention: Full attention from all concerned parties required.
  • Impact: Severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions.
  • Effort: All resources engaged on fixing issues.
  • Risk acceptance: Rarely accepted as residual risk, must be discussed, and must be mitigated or remediated. CSO, VP or board approval required.
  • SLO: Recommend fixing immediately (P0).

Justification of impacts:

  • Reputation: Significant degradation of public trust in the organization and/or it’s products. Prominent (mainstream media) press coverage, long-term negative media coverage > 4 weeks, Political/regulatory investigation, 1+ customer lawsuit, SEC sanctions.
  • Productivity: Most team members in one or many product areas cannot perform their normal day to day work.
  • Finances: Organization or customer revenue impact of > $100M+ USD/year or in a single year.
  • Competitive advantage: Loss of competitive advantage in relevant industry, Competitors will understand the internal product & strategy, 80%+ users or customers impacted.

Examples:

  • Substantial damage to organizational assets.
  • Immediate, systematic compromise of systems and users.
  • Severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.

HIGH Color code: #ffd351

  • Attention: Full attention from all concerned parties required.
  • Impact: Significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced.
  • Effort: Some key resources engaged in fixing the issue.
  • Risk acceptance: Rarely accepted as residual risk, must be discussed, and must be mitigated or remediated. VP or director approval required.
  • SLO: Recommend fixing within the next 7 days (P1).

Justification of impacts:

  • Reputation: Limited press coverage (technical news only), medium term negative media coverage < 1 week, political/regulatory scrutiny, 1 or no customer lawsuits.
  • Productivity: Large groups (20+) of team members cannot perform their day to day work.
  • Finances: Organization or customer revenue impact of $10M to $100M USD/year or in a single year.
  • Competitive advantage: Some loss of competitive advantage, competitors may understand internal product & strategy. Some services’ external user base impacted (50% or less of user base).

Examples:

  • Considerable damage to organizational assets.
  • Serious compromise of a team member or sensitive team’s systems.
  • Significant financial loss or result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.

MEDIUM Color code: #4a6785

  • Attention: Attention from all concerned parties.
  • Impact: Degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced.
  • Effort: Best effort. Following standards and guidelines is still required.
  • Risk acceptance: Risk should be discussed, and at least mitigated. May request approvals from manager or team lead.
  • SLO: Recommend remediation within 90 days (P2).

Justification of impacts:

  • Reputation: Internal chatter (issue tracker, chatrooms, …), limited or no press coverage (only Tweets, blogs, etc.), short term negative media coverage < 2 days, no political/regulatory scrutiny, no customer lawsuits.
  • Productivity: Small groups (<10) of team members cannot perform some their work for a few days (less than a week)
  • Finances: Organization or customer revenue impact of < $1M USD/year or in a single year.
  • Competitive advantage: No loss of competitive advantage, No exposure of internal product & strategy, Limited external user base impacted (15% or less of user base).

Examples:

  • Limited damage to organizational assets.
  • Violation of security properties that are relied upon for user or system access decisions, which does not lead to direct compromise of sensitive data.
  • Minor financial loss.
  • No or very little harm to individuals.

LOW Color code: #cccccc

  • Attention: Expected but not required.
  • Impact: Insignificant degradation in mission capability, effectiveness of the functions is potentially reduced.
  • Effort: Best effort and best practices expected.
  • Risk acceptance: Risk may often be accepted as residual risk without any approval.
  • SLO: No time limit (P3, P4+).

Justification of impacts:

  • Reputation: No press coverage, no internal chatter, no political/regulatory scrutiny, 0 customer lawsuits.
  • Productivity: Small groups (<5) of team members cannot perform some of their work for a limited amount of time (24h).
  • Finances: Organization or customer revenue impact of less than $1M USD/year or in a single year.
  • Competitive advantage: No loss of competitive advantage, no exposure of internal product & strategy, little or no external user base impacted (less than 1% of user base).

Examples:

  • No noticeable damage to organizational assets, finances, or harm to individuals.
  • Violation of expected security properties or best practices, but does not lead to compromise or does not lead to an escalation of privileges.

UNKNOWN Color code: #ffffff

  • Data collection is expected.
  • This level is expected to change to one of the other levels once data is collected.

This is not a real level, it is used when there to represent that we do not have enough data to correctly assess the level (i.e. data collection work is required).

Communicating the risk of not knowing is challenging and prone to failure, in particular when once data has been gathered, the risk appears to in fact be low.

This concept is also known as “trust, but verify” - i.e. unknown does not distrust (by assign it a higher risk) the service, user, etc. by default.

Scoring

The following scores are intended to provide a grade for a particular objective. The scores map back to the standard risk level definitions so that automatic risk mapping can be performed if necessary. Scores are useful to grade security prevention & detection controls implementation, fleet coverage, etc.

These scoring levels are also used, for example, on the Mozilla Observatory.

The use of + and - modifiers in front of scores (e.g. “A+”) is allowed if necessary. These are added to represent going slightly above or below expectations.


A Color code: #14892c

The A grade is the highest possible grade.

  • Prevention, detection controls: Clear story for how the threat is prevented or detected. Bypassing the control would require a zero-day vulnerability, or compromise of another system.
  • Fleet coverage: 100% of controls are applied in the fleet, and this can be verified.
  • Support all known features, processes, mitigations and controls.
  • No recommendations or backlogged work items.
  • All intentions of objective met.
  • Well maintained, well defined, well measured.

B Color code: #4a6785

  • Prevention, detection controls: There may be known residual risks in the threat model that aren’t covered by the control, but they require very sophisticated attackers or special access to exploit.
  • Fleet coverage: 90%+ of controls are applied in the fleet, and the fleet is not expected to grow without the controls being applied.
  • Supports most important features, processes, mitigations and controls.
  • There may be LOW or MEDIUM recommendations that have not yet been followed.
  • Some outliers need attention.
  • Most intentions of objective met.

The following scores may moderately contribute to risk.

C Color code: #ffd351

  • Prevention, detection controls: Opportunistic controls for the most important threats.
  • Fleet coverage: 60%+ of controls are applied to the fleet. Some devices are protected, and there is have a clear path forward to increasing adoption.
  • Potential service blocker.
  • Needs attention and features need to be enabled/controls added.
  • There may be LOW or MEDIUM recommendations that have not yet been followed.
  • May relate to a significant amount of risk.
  • Minimal to moderate intentions of objective met.

D Color code: #ffd351

  • Prevention, detection controls: There are large known gaps in the security posture regarding this control.
  • Fleet coverage: 30%+ of controls are applied in the fleet. Some devices are protected, but there is no clear path to universal adoption of the control.
  • Potential service blocker.
  • Needs attention and features need to be enabled/controls added.
  • There may be LOW, MEDIUM or HIGH recommendations that have not yet been followed.
  • May relate to a significant amount of risk.
  • Minimal to moderate intentions of objective met.

Lowest possible grade, score may greatly contribute to risk.

F Color code: #d04437

  • Prevention, detection controls:There are little to no controls to mitigate threats.
  • Fleet coverage: Unknown or low amount of controls are applied in the fleet.
  • Zero to minimal intentions of objective met.
  • Immediate attention and action are required.
  • There may be many recommendations that have not yet been followed, including MAXIMUM recommendations.
  • May relate to a great amount of risk.
  • Score likely to block the service or project.