The UK-based Cyber Monitoring Centre (CMC) created a system to rank the severity of cybersecurity incidents from 1 (low) to 5 (help!).
The effort, which calculates scores based on factors like affected population and financial impact, lets the public know what a group of experts considers to be the most impactful threats.
“If we crack this, and I’m confident that we will, ultimately it could be a huge boost to cybersecurity efforts, not just here but internationally, too,” Ciaran Martin, technical committee leader and former CEO of the National Cyber Security Centre (NCSC), said in a statement announcing the program.
A year in review. Ransomware attacks targeted institutions like the British Library, Transport for London, and UK hospitals in 2024.
The NCSC received 317 reports of ransomware in 2024. The NCSC’s incident management team also took in 1,957 reports of cyberattacks that were triaged into 430 incidents requiring support; the previous year had 371 incidents, according to the annual report.
In its 2024 annual review the NCSC warned that “the severity of the risk facing the UK is—widely—underestimated by organisations from all sectors.”
5 out of 5. With the newly announced CMC severity score, events are assessed with a grid scale, factoring in:
- The affected population, or “the number of organisations that have experienced a financial impact of £1k or greater to their UK operations as the result of a cyber event.”
- Financial impact, or “the loss to the affected population due to the cyber event,” due to factors like business interruption, incident-response costs, and extortion (but not regulatory fines or apology payments).
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
An affected population of more than 136,000 organizations and a financial impact greater than £5 billion equals a category 5, according to the grid shown in CMC resources.
A technical committee consisting of “leading cyber experts,” gathers polling, incident data, involved entities and groups like industry associations to make their final 1 to 5 decision.
Following the decision, the group will post the category and an explanation of the analysis, according to the post announcing the news.
While Ian Birdsey, partner and cyber specialist at global law firm Clyde & Co, welcomes “a more uniform approach to assessing the impact of material cyber events over £100m,” and appreciates a greater visibility around cyber event impact so orgs can better prepare themselves, he also shared his thoughts on the system’s limitations; by design, the grading will only be available post-event, so it will not proactively assist the victim organization itself, Birdsey mentioned.
“Additionally, as the reports and the grading system will be public-facing, it is unclear the degree to which victim organizations will welcome the quantification of their cyber losses in circumstances where this could affect their reputation or even their market value,” Birdsey wrote in an email to IT Brew.