Module 1: Threat identification and risk analysis(3/4)
Consequence and likelihood scoring
title: "Consequence and likelihood scoring" duration: "35 min"
From scenarios to numbers
You now have a set of threat × vulnerability pairs for each zone. This lesson teaches you how to assign consequence and likelihood scores — the two dimensions of risk.
Formula
Risk = Consequence × Likelihood
Consequence scoring
Consequence measures the impact if the threat scenario is fully realised. IEC 62443-3-2 recommends scoring across four impact categories:
| Category | What it measures | Example (water treatment) |
|---|---|---|
| Safety | Harm to human life or health | Toxic chlorine release — potential fatalities |
| Environmental | Harm to the natural environment | Untreated sewage discharge into a river |
| Financial | Direct and indirect monetary loss | Equipment damage, regulatory fines, lost production |
| Operational | Loss of essential function or reputation | Loss of water supply for 50,000 people |
The consequence scale
Use a 5-level scale. The highest category determines the overall consequence score:
| Level | Label | Safety | Financial | Operational |
|---|---|---|---|---|
| 5 | Catastrophic | Multiple fatalities | > $10M | Loss of critical infrastructure for > 7 days |
| 4 | Major | Single fatality or permanent injury | $1M–$10M | Loss of essential service for 1–7 days |
| 3 | Serious | Hospitalisation | $100K–$1M | Significant disruption for hours |
| 2 | Minor | First-aid injury | $10K–$100K | Minor disruption, quickly recoverable |
| 1 | Negligible | No injury | < $10K | Cosmetic or administrative impact |
Key takeaway
Use the worst case
If a scenario scores 2 on financial but 4 on safety, the overall consequence is 4. Safety always dominates.
Example: reference plant Zone 1
Scenario: Attacker modifies chemical dosing PLC setpoints via unauthenticated S7comm.
- Safety: Overdose of chlorine could cause respiratory harm — Level 3 (Serious).
- Environmental: Excess chlorine discharged to waterway — Level 3.
- Financial: Regulatory fine, remediation — Level 2.
- Operational: Boil-water advisory, plant shutdown — Level 3.
- Overall consequence: 3.
Likelihood scoring
Likelihood measures how probable it is that the scenario occurs within the assessment period (typically one year).
Factors that influence likelihood
| Factor | Increases likelihood | Decreases likelihood |
|---|---|---|
| Threat-source motivation | Water/energy sector (strategic targets) | Low-profile, non-critical facility |
| Threat-source capability | Nation-state APT, ransomware-as-a-service | Script kiddie, low-capability hacktivist |
| Vulnerability exposure | Internet-facing, default credentials | Air-gapped, MFA, protocol-aware FW |
| Existing controls | None or weak | Defence in depth, monitoring, patching |
| Attack complexity | Simple (one step, off-the-shelf tools) | Complex (multi-stage, custom tooling) |
The likelihood scale
| Level | Label | Description |
|---|---|---|
| 5 | Almost certain | Expected to occur multiple times per year |
| 4 | Likely | Expected to occur at least once per year |
| 3 | Possible | Could occur within the assessment period |
| 2 | Unlikely | Could occur but not expected |
| 1 | Rare | Requires extraordinary circumstances |
Example: reference plant Zone 1
Scenario: Cybercriminal reaches Zone 1 via compromised engineering conduit.
- Threat-source capability: moderate (ransomware crew with initial-access broker).
- Vulnerability exposure: S7comm unauthenticated, engineering conduit time-gated but bidirectional.
- Existing controls: firewall (not protocol-aware), no ICS monitoring.
- Likelihood: 3 (Possible).
The risk matrix
Combine consequence and likelihood in a 5×5 matrix:
| Negligible (1) | Minor (2) | Serious (3) | Major (4) | Catastrophic (5) | |
|---|---|---|---|---|---|
| Almost certain (5) | Medium | High | Critical | Critical | Critical |
| Likely (4) | Low | Medium | High | Critical | Critical |
| Possible (3) | Low | Medium | High | High | Critical |
| Unlikely (2) | Low | Low | Medium | Medium | High |
| Rare (1) | Low | Low | Low | Medium | Medium |
Example: Zone 1 risk score
Consequence 3 × Likelihood 3 = High risk.
This zone requires SL-T ≥ 2 and targeted remediation of the unauthenticated S7comm conduit.
Analogy
The risk matrix is a triage tool, not a precision instrument. Its job is to separate the critical from the negligible so you allocate resources to the right zones first. Do not over-engineer the scores — if two assessors disagree by ±1, the matrix still produces the same priority band.
Key Takeaways
- Consequence is scored across four categories (safety, environmental, financial, operational); the highest category wins.
- Likelihood is scored based on threat-source capability, vulnerability exposure, existing controls, and attack complexity.
- Risk = Consequence × Likelihood, visualised in a 5×5 matrix.
- The risk score determines the priority band (Low / Medium / High / Critical) and drives SL-T assignment.
- The matrix is a triage tool — do not over-engineer the precision of individual scores.
Knowledge Check
3 questions — test your understanding before moving on.
Q1.When scoring consequence, if a scenario scores 2 on financial impact but 4 on safety impact, what is the overall consequence score?
- 2 — use the lowest score.
- 3 — use the average.
- 4 — use the highest score; safety dominates.
- 6 — add the scores together.
The overall consequence score is the highest across all four impact categories (safety, environmental, financial, operational). Safety always dominates because the IEC 62443 framework prioritises availability and human safety.
Q2.What does the risk matrix combine to produce a risk rating?
- Threat source capability and vulnerability count.
- Consequence score (1–5) and likelihood score (1–5).
- SL-T and SL-C vectors.
- Number of zones and number of conduits.
Risk = Consequence × Likelihood. The 5×5 risk matrix maps the intersection of a consequence score (1–5) and a likelihood score (1–5) to a risk band: Low, Medium, High, or Critical.
Q3.What is the purpose of the risk matrix?
- To calculate the exact dollar cost of each risk.
- To serve as a triage tool that separates critical risks from negligible ones so resources are allocated correctly.
- To determine the number of firewalls needed.
- To assign CVE severity scores.
The risk matrix is a triage tool, not a precision instrument. Its job is to separate risks into priority bands (Low/Medium/High/Critical) so the organisation allocates remediation resources to the right zones first.