I think that the far right side of the OSC&R matrix needs to be beefed up to help the customer connect how all the things to the left in OSC&R were connected which culminated in something bad happening to their company or resources in the Impact column.
Said a different way, if OSC&R is an end-to-end lifecycle of how an attack starts, evolves, and finally delivers value for an attacker we need to expand on what that final "value" is for the criminal.

To this end, I suggest that we create two new items in the last column of OSC&R:

1. Proprietary data stolen
2. Customers compromised

@6mile This is a good point and I agree that we should add more items to the Impact section.

However, I think as we are creating practical framework for supply chain attack, we need to add more precise and related items to supply chain.

So, could you please map this generic examples to supply chain cases?