Answer from a Club EBIOS member: “Pay attention to scales using several types of impacts”

EBIOS guide reminder: “This action [scale development] consists of creating a scale describing all possible levels of impacts, just like the scales of needs, a scale of impact levels is usually ordinal (the objects are classified in order of magnitude, the numbers indicate ranks and not quantities) and composed of several levels to classify all risks“.Therefore, it is usual to see users of the method build several ordinal scales depending on the nature of the impact (financial, legal, operations, privacy…) to estimate the severity of the feared events. The construction is then done by individually scaling each type of impact, without worrying about the consistency between the levels.

However, only a global result is used in risk maps to assess the severity of each compared to the others. Information on the nature of the impacts is lost.

To avoid misleading conclusions about the importance of risks, care must be taken to check the transverse coherence of the gradation of impacts in the scales. For example, checking that the estimatation of a level 3 impact on operations will be of the same value for the organization as the financial and legal impacts of the same level.
Where possible, the pivotal criterion (for consistency) may be the financial scale. If this is not the case (often the case), the side-by-side impacts should be presented and their importance assessed by those seeking consensus. In this case, the scales can have empty boxes (level having no equivalence for all types of impacts considered). This can be the case when one estimates the loss of human lives for example.

It is sometimes difficult for managers to establish these scales in a generic way. A good solution is then to ask the stakeholders to prioritize the feared events after identifying the impacts, and build the scales based on this estimate.

Answer from another member: “It is useful to have heterogeneous impact scales, it is an important means of communication with the business”

In addition, the ideal is in my opinion:

  • to have a scale for each type of impacts (financial, image, legal, operation, privacy…) by covering the entire spectrum of possibilities (from worst to best);
  • to present the impacts side by side when analyzing the feared events and consider their severity;
  • to recall the different impacts and their estimation when presenting the risks map (which only keeps the most important value).

This makes it easy to carry out a study of both information security and privacy by presenting side-by-side the impacts to the organization and the impacts to the individuals (data subjects).