Skip to main content

Table 1 Definitions of values for consequence, likelihood, and risk level used in the risk assessment

From: Privacy and information security risks in a technology platform for home-based chronic disease rehabilitation and education

Consequence:
Small For the hospital or the service: No violation of law; offence that does not lead to reaction; or negligible financial loss which can be recovered; or small reduction of reputation in the short run. For the patient: No impact on health; or negligible financial loss which can be recovered; or small reduction of reputation in the short run.
Moderate For the hospital or the service: Offence, less serious violation of law which results in a warning or a reprimand; or financial loss which can be recovered; or reduction of reputation that may influence trust and respect. For the patient: No direct impact on health or a minor temporary impact; or financial loss which can be recovered; or some loss of reputation caused by revelation of less sensitive or offensive health information.
Severe For the hospital or the service: Violation of law which results in minor penalty or fine; or a large financial loss which cannot be recovered; or serious loss of reputation that will affect trust and respect for a long time. For the patient: Reduced health; or some financial loss which cannot be recovered; or serious loss of reputation caused by revealing of sensitive and offending information.
Catastrophic For the hospital or the service: Serious violation of law which results in a penalty or fine; or considerable financial loss which cannot be recovered; or serious loss of reputation which is devastating for trust and respect. For the patient: Death or permanent damage of health; or considerable financial loss which cannot be recovered; or serious loss of reputation which permanently affects life, health, and finances.
Likelihood:
Low Rare, occurs less frequently than every 10th year, or less than 10 % of the times the system/service is used. Detailed knowledge about the system is needed; or special equipment is needed; or it can only be performed deliberately and with the help of internal personnel.
Medium May happen, occurs not more than once a year, or between 10 % and 30 % of the times the system/service is used. Normal knowledge about the system is sufficient; or normally available equipment can be used; or it can be performed deliberately.
High Fairly often, occurs several times a year, or between 30 % and 50 % of the times the system/service is used. Can be done with minor knowledge about the system; or without any additional equipment being used; or it can occur because of wrong or careless usage.
Very high Very often, occurs several times a month or more frequent than 50 % of the times the system/service is used. Can be done without any knowledge about the system; or without any additional equipment being used; or it can occur because of wrong or careless usage.
Risk level:  
Low Acceptable risk. The service can be used with the identified threats, but the threats must be observed to detect changes that could increase the risk level.
Medium Possibly an acceptable risk for this particular service, but each threat must be considered separately and the development of the risk must be monitored on a regular basis, with an assessment of whether remedial measures should be implemented.
High Unacceptable risk. Cannot start using the service before risk reducing measures have been implemented.