The second step of the security categorization process is the injury assessment.
The objective of the injury assessment is to determine the expected injuries from threat compromise for
each of the business processes and related information assets identified in the previous step. This is
achieved by first determining, using Table 8 as a guide, the injuries that are likely to occur as a result of
threats compromising the confidentiality, integrity, and availability of the business processes and related
information assets, and then attributing appropriate levels of these injuries. Confidentiality, integrity, and
availability apply to information assets, while integrity and availability apply to business processes.
Ideally, departments should assess injury for their business processes and related information assets
through a departmental process using multidisciplinary teams that include representatives from business,
legal, access to information, and privacy areas.
When assessing injuries, security practitioners should consider several factors that may influence the
results, including:
• Aggregation – Individual business processes and related information assets can each be assigned
an injury level. However, the injury that would result from compromise of an aggregate of
processes and information, considered as a whole, may be greater than the injury level assigned to
any of the individual parts.
• Inference – In some cases, the analysis of information categorized at one level of sensitivity may
allow an informed individual to draw and act upon conclusions that could compromise more
sensitive information. For example, personnel records categorized as Protected B for privacy
reasons might contain information that provides some indication of the individual’s role, and
therefore, the operational mission or capability of the parent organization—information that in
certain circumstances might compromise national interest.
• Interdependency – Due to interdependencies, the loss or degradation of one business process
and its associated information may impact other processes and related information. The purpose
of analyzing interdependencies is to determine if there is a likelihood of a high cascading effect
resulting from the compromise of a business process or information on other processes and
information. Similar to the problem of aggregation, the injury that would result from the
cascading loss of one element may be greater than the injury level assigned to any of the
independent elements. Types of interdependencies include physical (e.g., material output of one
infrastructure used by another); geographic (e.g., common corridor); and logical (e.g.,
dependency through financial markets).
As shown in Figure 4, the output of this step is a list of expected injuries and injury levels for
confidentiality, integrity, and availability by business process and related information assets. For
consistency within and across departments, security practitioners should adopt a common marking
scheme. As a guideline, it is recommended that security categories be expressed using the following
marking format:
(Protected/Classified Level, Very low/Low/Medium/High/Very high Integrity, Very
low/Low/Medium/ High/Very high Availability).