See how cyber incidents are assessed

Here is how the Obama administration is determining the severity and significance of a cyber incident. In a major cyber-hack, whom do you call? The White House spells it out.

Cyber Incident Severity Schema
The United States Federal Cybersecurity Centers, in coordination with departments and agencies with a
cybersecurity or cyber operations mission, adopted a common schema for describing the severity of
cyber incidents affecting the homeland, U.S. capabilities, or U.S. interests. The schema establishes a
common framework for evaluating and assessing cyber incidents to ensure that all departments and
agencies have a common view of the:
i*
i*
i*
i*

The severity of a given incident;
The urgency required for responding to a given incident;
The seniority level necessary for coordinating response efforts; and
The level of investment required of response efforts.

The table below depicts several key elements of the schema.
General Definition
Level 5
Poses an imminent threat to the
Emergency provision of wide-scale critical
(Black)
infrastructure services, national govat
stability, or to the lives of U.S. persons.
Level 4
Likely to result in a significant impact
Severe
to public health or safety, national
(Red)
security, economic security, foreign
relations, or civil liberties.
Level 3
Likely to result in a demonstrable
High
impact to public health or safety,
(Orange) national security, economic security,
foreign relations, civil liberties, or
public confidence.
Level 2
May impact public health or safety,
Medium national security, economic security,
(Yellow) foreign relations, civil liberties, or
public confidence.
Level 1
Unlikely to impact public health or
Low
safety, national security, economic
(Green)
security, foreign relations, civil
liberties, or public confidence.
Level 0
Unsubstantiated or inconsequential
Baseline event.
(White)

1

Observed
Actions

Effect

Intended
Consequence1
Cause physical
consequence
Damage computer
and networking
hardware

Presence

Corrupt or destroy
data
Deny availability to a
key system or
service

Engagement

Steal sensitive
information
Commit a financial
crime

Preparation

Nuisance DoS or
defacement

In addition to characterizing the observed activity, one must consider the scope and scale of the incident when
applying the general definitions to arrive at a severity level.