Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Human impact change proposal #476

Merged
merged 3 commits into from
Feb 19, 2024
Merged

Human impact change proposal #476

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9fed68f
Update human_impact.md
sei-bkoo Feb 16, 2024
c435c9a
Update human_impact.md
sei-bkoo Feb 16, 2024
aea5bbd
revise intro sentence in human_impact.md
ahouseholder Feb 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 10 additions & 7 deletions docs/reference/decision_points/human_impact.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,25 +7,28 @@
*Human Impact* is a combination of [Safety Impact](./safety_impact.md) and
[Mission Impact](./mission_impact.md)

This is a compound decision point, therefore it is a notational convenience.
Note: This is a compound decision point[^1], therefore it is a notational convenience.

In pilot implementations of SSVC, we received feedback that organizations tend to think of mission and safety impacts as
if they were combined into a single factor: in other words, the priority increases regardless which of the two impact factors was increased.
We therefore combine [Safety Impact](safety_impact.md) and
[Mission Impact](mission_impact.md) for deployers into a single _Human Impact_ factor
as a dimension reduction step as follows.
*Human Impact* is a combination of how a vulnerability can affect an organization's mission essential functions as well as
safety considerations, whether for the organization's personnel or the public at large.
We observe that the day-to-day operations of an organization often have already built in a degree of tolerance to small-scale variance in mission impacts.
Thus in our opinion we need only concern ourselves with discriminating well at the upper end of the scale.
Therefore we combine the two lesser mission impacts of degraded and MEF support crippled into a single category, while retaining the distinction between MEF Failure and Mission Failure at the extreme.
This gives us three levels of mission impact to work with.

On the other hand, most organizations tend to have lower tolerance for variance in safety.
Even small deviations in safety are unlikely to go unnoticed or unaddressed.
We suspect that the presence of regulatory oversight for safety issues and its absence at the lower end of the mission impact scale influences this behavior.
Because of this higher sensitivity to safety concerns, we chose to retain a four-level resolution for the safety dimension.
We then combine Mission Impact with Situated Safety impact and map them onto a 4-tiered scale (Low, Medium, High, Very High).
The mapping is shown in the table above.

[^1]: In pilot implementations of SSVC, we received feedback that organizations tend to think of mission and safety impacts as
if they were combined into a single factor: in other words, the priority increases regardless which of the two impact factors was increased.
We therefore combine [Safety Impact](safety_impact.md) and
[Mission Impact](mission_impact.md) for deployers into a single _Human Impact_ factor
as a dimension reduction step.


## Safety and Mission Impact Decision Points for Industry Sectors

We expect to encounter diversity in both safety and mission impacts across different organizations.
Expand Down