Good question. This is something that I feel has been challenging within DLP for a long time. The "built in" feature for assigning a severity of High, Medium, Low, or Info based only on match count is somewhat limiting, in my opinion.
I dealt with this a while back by creating a more complex "risk model" for DLP based on weighting attributes of an incident differently. I created weighting based on several attributes:
- Policy
- Protocol
- Match Count
- Custom Attributes (i.e. "Department")
- Correlations (to other incidents, for instance)
- Recipient attributes (number of recipients, number of recipient domains, etc).
In this way, I was able to assign a total risk score for an incident (on a 1 to 100 scale), which would enable you to focus review and remediation efforts based on the overall risk score. A PCI incident over email from Accounts Payable, for instance, might get a lower ranking than a PCI incident to a removable storage device from the Customer Service department, though the match count is the same.
WIth my model defined, I was then able to create code which I integrated into DLP as a custom plugin so that all incidents would get evaluated against this and assigned a risk score as custom attribute. Actually, I built this all into an Excel spreadsheet that would create the code based on the answers in my model, so I could adjust it "on the fly" if I wanted to make changes.
To answer your question, a "generic" model would be just to base severity on match count, such as you already have available to you within DLP. Anything beyond that is really going to depend on your company's requirements, for which I recommend setting up a weighting algorithm such as I have described above.
Hope that's helpful to you.
Regards,
~Keith