Skip to main content

Table 1 Definitions of consequence, likelihood and risk level

From: Video calls from lay bystanders to dispatch centers - risk assessment of information security

Category Description
Consequence
Low For the hospital or the service: No violation of law; or negligible economic loss which can be restored; or small reduction of reputation in the short run.
  For the patient: A minor impact on health; or negligible economic loss which can be restored; or small reduction of reputation in the short run.
Medium For the hospital or the service: Offence, less serious violation of law which results in a warning or a reprimand; or economic loss which can be restored; or reduction of reputation that may influence trust and respect.
  For the patient: A minor temporary impact on health; or economic loss which can be restored; or small reduction of reputation caused by revealing of less serious information (e.g. blood pressure level).
High For the hospital or the service: Violation of law which results in penalty or fine; or a large economic loss which cannot be restored; or serious loss of reputation that will influence trust and respect for a long time.
  For the patient: Death or permanent reduction of health; or a large economic loss which cannot be restored; or serious loss of reputation caused by revealing of sensitive and offending information.
Likelihood
Low Rare, occurs less than every 100th connection. Detailed knowledge about the system is needed; or special equipment is needed; or it can only be performed deliberately.
Medium May happen, occurs between every 10th and every100th connection. Normal knowledge about the system is sufficient; or normally available equipment can be used; or it can be performed deliberately.
High Quite often, occurs between every 3rd and every10th connection. Can be done with minor knowledge about the system; or without any additional equipment being used; or it can be performed by wrong or careless usage.
Very high Very often, occurs more often than every 3rd connection. Can be done without any knowledge about the system; or without any additional equipment being used; or it can be performed by wrong or careless usage.
Risk level
Low Acceptable risk. The service can be used with the identified threats, but the threats must be observed to discover changes that could raise the risk level.
Moderate Can for this service be an acceptable risk, but for each threat the development of the risk should be monitored to consider whether necessary measures have to be implemented.
Severe Not acceptable risk. Cannot start using the service before risk reducing treatment has been implemented.