No organization is immune from the complex range of threats to its information assets and technology infrastructure. The financial, reputational, operational and punitive impacts of successful cyber attacks or information security failures are significant.

‘Impact’ is the consequence of the realisation of a threat. It is usually quantified financially, in terms of the likely loss to the organization. Estimation of likely loss is inexact, but should take into account both direct and indirect costs, including the likely business cost of reputational damage, loss of business, remedial advertising, investigating, closing the stable door, etc.