| Metric | Description |
| None (N) | A vulnerability with no internal organizational impact implies it does not affect the organization in any significant way. |
| Low (L) | A vulnerability with low internal organizational impact has minimal consequences for the organization. While it may cause some disruption or inconvenience, it can typically be addressed using existing resources and processes without significant disruption to operations or business continuity. |
| Medium (M) | A vulnerability with moderate internal organizational impact results in tangible losses and consequences for the organization. It may disrupt operations, decrease productivity or morale, or result in the loss of some intellectual property or sensitive information; however, it does not pose an existential threat. |
| High (H) | A vulnerability with high internal organizational impact has significant ramifications for the organization, leading to substantial reputational damage, operational disruptions, and potentially severe financial losses [14] . It may cause widespread disruption to business continuity, loss of critical intellectual property or sensitive information, and erosion of trust among employees, partners, and stakeholders. |