Impact is Significance modified by the different forms of Immediacy
In the entire risk structure the only thing that Digital Security as an organization can reliably affect is the Controls/Management aspect. All other aspects of the process are defined outside of the Security team. We need to identify them and can determine which are in context for us but we cannot change them. Within likelihood the threats are controlled by the originators of the threats. Within Impact immediacy and significance are either inherent or defined by the business needs.
Context – the context is the defined structure that the other portions of risk are compared against and dependant upon.
It defines the scale of review and management of controls.
In short - What are the scope and limitations of the risk management?
•What is being protected/assessed?
–Group, Segment, Business Unit, Project, Plant, Pipeline, …
•What are the applicable impact mechanisms?
–Confidentiality, Integrity, Availability, Environmental, Safety, Liability…
•What are the Applicable threat sources?
–Eve the evil hacker, Joe the employee, Virus, Mafia, Government, Competition…
•What are the acceptable Controls/Management functions?
–How much cost is acceptable?
–How much admin is acceptable?
–Who has Authority?
–Who has Responsibility?
–How does it overlap with other controls? e.g. Failsafes, FC&A, Physical Security