Table 1 Definitions of consequence, likelihood and risk level
From: Video calls from lay bystanders to dispatch centers - risk assessment of information security
Category | Description |
|---|---|
Consequence | |
Low | For the hospital or the service: No violation of law; or negligible economic loss which can be restored; or small reduction of reputation in the short run. |
For the patient: A minor impact on health; or negligible economic loss which can be restored; or small reduction of reputation in the short run. | |
Medium | For the hospital or the service: Offence, less serious violation of law which results in a warning or a reprimand; or economic loss which can be restored; or reduction of reputation that may influence trust and respect. |
For the patient: A minor temporary impact on health; or economic loss which can be restored; or small reduction of reputation caused by revealing of less serious information (e.g. blood pressure level). | |
High | For the hospital or the service: Violation of law which results in penalty or fine; or a large economic loss which cannot be restored; or serious loss of reputation that will influence trust and respect for a long time. |
For the patient: Death or permanent reduction of health; or a large economic loss which cannot be restored; or serious loss of reputation caused by revealing of sensitive and offending information. | |
Likelihood | |
Low | Rare, occurs less than every 100th connection. Detailed knowledge about the system is needed; or special equipment is needed; or it can only be performed deliberately. |
Medium | May happen, occurs between every 10th and every100th connection. Normal knowledge about the system is sufficient; or normally available equipment can be used; or it can be performed deliberately. |
High | Quite often, occurs between every 3rd and every10th connection. Can be done with minor knowledge about the system; or without any additional equipment being used; or it can be performed by wrong or careless usage. |
Very high | Very often, occurs more often than every 3rd connection. Can be done without any knowledge about the system; or without any additional equipment being used; or it can be performed by wrong or careless usage. |
Risk level | |
Low | Acceptable risk. The service can be used with the identified threats, but the threats must be observed to discover changes that could raise the risk level. |
Moderate | Can for this service be an acceptable risk, but for each threat the development of the risk should be monitored to consider whether necessary measures have to be implemented. |
Severe | Not acceptable risk. Cannot start using the service before risk reducing treatment has been implemented. |