Expel uses the following matrix to map an alert's fidelity and impact to an Expel alert severity.

Matrix_Alert_Fidelity.png

Expel considers the following when assigning severities of Critical, High, Medium, or Low for Expel created rule content, and when reclassifying certain security product alerts:

  1. How likely can the underlying logic that generated the alert identify what it was designed to identify? This is also known as the alert fidelity:

    • High Fidelity: the alert maintains a true positive rate of 50% or greater.

    • Medium Fidelity: the alert maintains a true positive rate between 5% to 50%.

    • Low Fidelity: the alert maintains a true positive rate between 0% to 5%.

  2. If the alerts are a true positive, what is the impact to the organization?

    • High Impact: there's a high or absolute likelihood of consequences, including but not limited to:

      • Business operation outage to critical systems

      • Large reputational damage

      • Large amount of regulated data exposed

      • Catastrophic exposure of trade secrets

      • Large financial loss

    • Medium Impact: there's a high or absolute likelihood of consequences, including but not limited to:

      • Business operation outage to non-critical systems

      • Limited reputational damage

      • Limited amount of regulated data exposed

      • Limited exposure of trade secrets

      • Limited financial loss

    • Low Impact

      • No business operation outage

      • No reputational damage

      • No amount of regulated data exposed

      • No exposure of trade secrets

      • No financial loss