SPECTRA — Kernel ImpactfulElement needs clarification

Review 16-05-2025
Impactful Element
o Typically, there are three main objectives, CIA, I am not sure where “privacy” and “safety” came from. These are both outcomes from maintaining CIA objectives and should not be listed as their own objectives. For example, “Safety” is not something measured by an “ImpactLevel”.
o If this is meant to describe the system stakeholder desires for the system, beyond the mission, I do not think it does a good enough job. If we are moving beyond the typical “CIA” context then there are dozens of outcomes here that a system stakeholder could care about: performance, stability, resiliency, cost etc. Just like with safety I do not think this is a good way to measure stakeholder “wants” here.

NM: I would like to consider moving in the direction of capturing the key concerns that a system stakeholder could care about, as enumerated here. This is used to frame the risk claims appropriately, where the risk claims must be precisely aligned with the concerns of the stakeholders.
NM: there is also a related suggestion to use the 5D for the Capabilities and Mission, such a Deny, Degrade, Destroy, Deceive, Disrupt, Deter. While they map to CIA, they add distinct flavour that addresses concerns for cyber and especially cyber-physical systems