A veteran security pro just sent me an email on my post Extending the Information Security Incident Classification with Crisis Levels. He suggested a Crisis beyond Crisis 1 -- "organization collapses." That is a real Game Over -- Crisis 0. In other words, the cost of dealing with the crisis bankrupts the victim organization, or the organization is ordered to shut down, or any other consequence that removes the organization as a "going concern," to use some accountant-speak.
I guess the hunt is on now to discover example organizations which have ceased to exist as a result of information security breaches. The rough part of that exercise is connecting all the dots. Who can say that, as a result of stealing intellectual property, a competitor gained persistent economic advantage over the victim and drove it to bankruptcy? These are the sorts of consequences whose timeline is likely to evade just about everyone.
Putting on my historian's hat, I remember the many spies who stole the manufacturing methods developed by the pioneers of the Industrial Revolution in Great Britain, resulting in technology transfers to developing countries. Great Britain's influence faded in the following century.
I'm sure some savvy reader knows of some corporate espionage case that ended badly for the victim, i.e., bankruptcy or the like?
Incidentally, I should remind everyone (and myself) that my classification system was intended to by applied to a single system. It is possible to imagine a scenario where one system is so key to the enterprise that a breach of its data does result in Crisis 3, 2, 1, or 0, but that's probably a stretch for the worst Crisis levels. Getting to such a severe state probably requires a more comprehensive breach. So, let's not get too carried away by extending the classification too far.
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.