In Brief

The impact is the result of the exploitation of a vulnerability of an asset by a threat. The risk calculated during the risk assessment takes these three factors into account.

Impact is measured by compromised assets, i.e. the impact caused by the loss of the criterion of confidentiality, integrity or availability of the asset. From the impact expected during such a compromise, we deduce the classification level of the asset in terms of confidentiality, integrity and availability. Protecting your computer is important - there are many reasons.

However, a distinction must be made between damage and impact. Damage is the result of an event. The impact is the assessment of the harm caused by the damage. Examples are as follows:

  • A ‘stand-alone’ server breaks down: the damage is real because the server must be repaired. The impact on assets (e.g. e-mail) is also real since the service is no longer available.
  • A server belonging to a ‘cluster’ breaks down. The damage is still real, but there is no impact on the e-mail service since the other servers continue to operate.

Impact Categories


Almost all impacts end up being measured at a financial level. However, we group under this title the direct financial impacts, such as the shortfall of an e-commerce solution, in the event of a break with the Internet service. Other financial impacts in this category are embezzlement by software modification, theft of ‘credit card’ data, and others.

The usage of certain stolen data may lead to legal proceedings on the part of the persons concerned; the loss of this data may also result in non-compliance with certain commercial conditions. Taking control of the computer system to carry out attacks (distributed attacks, spamming, etc.) on other users can be considered as a failure to monitor and lead to a criminal conviction.


Reputation impacts are grouped under this name. With the confidence of customers and suppliers remaining one of the major components of trade, it is obvious that any incident in this area quickly has a financial impact.


Industrial or commercial espionage, aimed at appropriating the manufacturing secrets, customer files or other private data of a person is included in this category, which is the most difficult to estimate financially. The lack of capacity to exercise one’s profession, following the destruction of IT equipment (fire, flood, etc.), is also included in this category.


Time, specifically for a business, is a very critical element. The time wasted if a user could have invested it in other important tasks.