Human Impact
Human Impact v2.0.1
Human Impact is a combination of Safety and Mission impacts.
| Value | Definition |
|---|---|
| Low | Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled) |
| Medium | (Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled)) |
| High | (Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure) |
| Very High | Safety Impact:Catastrophic OR Mission Impact:Mission Failure |
{
"namespace": "ssvc",
"version": "2.0.1",
"key": "HI",
"name": "Human Impact",
"description": "Human Impact is a combination of Safety and Mission impacts.",
"values": [
{
"key": "L",
"name": "Low",
"description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
"description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
"description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
"description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
}
See also
Human Impact is a combination of Safety Impact and Mission Impact
Note: This is a compound decision point1, therefore it is a notational convenience.
Human Impact is a combination of how a vulnerability can affect an organization's mission essential functions as well as safety considerations, whether for the organization's personnel or the public at large. We observe that the day-to-day operations of an organization often have already built in a degree of tolerance to small-scale variance in mission impacts. Thus in our opinion we need only concern ourselves with discriminating well at the upper end of the scale. Therefore we combine the two lesser mission impacts of degraded and MEF support crippled into a single category, while retaining the distinction between MEF Failure and Mission Failure at the extreme. This gives us three levels of mission impact to work with. On the other hand, most organizations tend to have lower tolerance for variance in safety. Even small deviations in safety are unlikely to go unnoticed or unaddressed. We suspect that the presence of regulatory oversight for safety issues and its absence at the lower end of the mission impact scale influences this behavior. Because of this higher sensitivity to safety concerns, we chose to retain a four-level resolution for the safety dimension. We then combine Mission Impact with Situated Safety impact and map them onto a 4-tiered scale (Low, Medium, High, Very High). The mapping is shown in the table above.
Safety and Mission Impact Decision Points for Industry Sectors
We expect to encounter diversity in both safety and mission impacts across different organizations. However, we also anticipate a degree of commonality of impacts to arise across organizations within a given industry sector. For example, different industry sectors may have different use cases for the same software. Therefore, vulnerability information providers—that is, vulnerability databases, Information Sharing and Analysis Organizations (ISAOs), or Information Sharing and Analysis Centers (ISACs)—may provide SSVC information tailored as appropriate to their constituency's safety and mission concerns. For considerations on how organizations might communicate SSVC information to their constituents, see Guidance on Communicating Results.
Prior Versions
Human Impact v2.0.0
Human Impact is a combination of Safety and Mission impacts.
| Value | Definition |
|---|---|
| Low | Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled) |
| Medium | (Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled)) |
| High | (Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure) |
| Very High | Safety Impact:Catastrophic OR Mission Impact:Mission Failure |
{
"namespace": "ssvc",
"version": "2.0.0",
"key": "HI",
"name": "Human Impact",
"description": "Human Impact is a combination of Safety and Mission impacts.",
"values": [
{
"key": "L",
"name": "Low",
"description": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
"description": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
"description": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
"name": "Very High",
"description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
}
Mission and Well-Being Impact v1.0.0
Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.
| Value | Definition |
|---|---|
| Low | Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal |
| Medium | Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material) |
| High | Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible) |
{
"namespace": "ssvc",
"version": "1.0.0",
"key": "MWI",
"name": "Mission and Well-Being Impact",
"description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
"values": [
{
"key": "L",
"name": "Low",
"description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
},
{
"key": "M",
"name": "Medium",
"description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
{
"key": "H",
"name": "High",
"description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
}
-
In pilot implementations of SSVC, we received feedback that organizations tend to think of mission and safety impacts as if they were combined into a single factor: in other words, the priority increases regardless which of the two impact factors was increased. We therefore combine Safety Impact and Mission Impact for deployers into a single Human Impact factor as a dimension reduction step. ↩