| Metric | Description |
| None (N) | A vulnerability with no external organizational impact implies it does not affect the organization in any significant way. |
| Low (L) | A vulnerability with low external organizational impact has minimal consequences for the organization externally. While it may cause some disruption or inconvenience, it can typically be addressed using existing resources and processes without significant disruption to customer trust or loyalty, financial losses, customer service, or reputation. |
| Medium (M) | A vulnerability with moderate external organizational impact results in tangible losses and consequences for the organization externally. It may lead to some loss of customer trust or loyalty, financial losses, or customer service disruptions, however, it does not pose an existential threat. |
| High (H) | A vulnerability with high external organizational impact has significant ramifications for the organization, leading to substantial financial losses, reputational damage, and potential legal consequences externally. It may result in widespread loss of customer trust or loyalty, customer service disruptions, and intense regulatory scrutiny [15] . |