Investigate other non-logical impact types

[Chris-Turner-NIST]

User Story:

Organizations may care about impacts a vulnerability could cause that are not simply related to human injury or property destruction. A small list of possible categories was provided regarding the types of other impacts or the perspective of impacts that could be included as a direct impact from a vulnerability being exploited.

Financial Government Catastrophe level events FDA NRC

Goals:

Determine if any of these or similar items that come out of research would work with the Vulntology model. Impacts would need to be specific to the vulnerability.

Dependencies:

N/A

Acceptance Criteria

[ ] Research completed into other areas of non-logical impacts [ ] Determinations clearly defined regarding types that should be considered for inclusion into Vulntology and where they would best fit

[j---]

We've addressed something similar to this in SSVC, the resources we've collected and how we organized it into a decision might be helpful for you: https://github.com/CERTCC/SSVC/blob/main/doc/version_1/045_treesForVulMgmt_3.md Though as of this writing, we have some open issues we're still working on in this area too (such as https://github.com/CERTCC/SSVC/issues/46). Would be happy if you have thoughts on that.