Expel uses the following matrix to map an alert's fidelity and impact to an Expel alert severity.
Expel considers the following when assigning severities of Critical, High, Medium, or Low for Expel created rule content, and when reclassifying certain security product alerts:
-
How likely can the underlying logic that generated the alert identify what it was designed to identify? This is also known as the alert fidelity:
-
High Fidelity: the alert maintains a true positive rate of 50% or greater.
-
Medium Fidelity: the alert maintains a true positive rate between 5% to 50%.
-
Low Fidelity: the alert maintains a true positive rate between 0% to 5%.
-
-
If the alerts are a true positive, what is the impact to the organization?
-
High Impact: there's a high or absolute likelihood of consequences, including but not limited to:
-
Business operation outage to critical systems
-
Large reputational damage
-
Large amount of regulated data exposed
-
Catastrophic exposure of trade secrets
-
Large financial loss
-
-
Medium Impact: there's a high or absolute likelihood of consequences, including but not limited to:
-
Business operation outage to non-critical systems
-
Limited reputational damage
-
Limited amount of regulated data exposed
-
Limited exposure of trade secrets
-
Limited financial loss
-
-
Low Impact
-
No business operation outage
-
No reputational damage
-
No amount of regulated data exposed
-
No exposure of trade secrets
-
No financial loss
-
-