This is the measure that is based on how a threat steals data and what it does to the data stolen. Information theft is associated with this field. Most, if not all, malware have information theft routines. These routines steal specific data. Based on the data stolen and the manner the stolen data is distributed, Information Exposure can have the following ratings:
- High - malware that steals personally identifiable information (PII), finance-related information, industry-specific data and hardware information (mobile IMEI) and it sends gathered information via HTTP, SMTP or FTP. It may also be capable of getting a person or a company’s data, causing financial loss and/or damage to reputation to the individual or the company.
- Medium - malware that steals gaming-related information or product serial numbers. Information stolen has little effect on users.
- Low - malware that has no information theft capability, therefore no information is exposed.