An essential tool in the RiskLens Platform toolkit, loss tables power financial analysis of many common risk scenarios, such as data breaches or ransomware system outages, by providing the raw numbers for crunching secondary losses—in other words, the costs of court settlements, credit monitoring services for customers and other losses not connected with directly responding to the cyber incident.
In this short podcast, RiskLens Risk Consultant Tim Wynkoop explains the need-to-know information about loss tables, including
- Where the data in the tables comes from. RiskLens guides clients in gathering in-house data and adds more relevant data from industry sources and the extensive experience of our risk consultants.
- The business value of loss tables. Done correctly, and kept up to date, loss tables speed the risk analysis process for faster turnaround on what-if decisions on security investments.
Click here to listen to the podcast or read the transcript below.
Q: RiskLens loss tables – what are they?
A: I’ll give you a short answer and a long answer.
The short answer is, they’re like actuarial tables. The little bit longer answer for those people that aren’t familiar with actuarial tables, as I wasn’t, they are a way of breaking down loss in the FAIR model a little bit easier.
The FAIR model breaks loss down into primary and secondary, and this is a way of accounting for those activities that you would do for secondary stakeholders.
That’s secondary losses. It helps you categorize those in a way that makes sense and that is easily digestible for analysis.
Q: Where does the data that we’re using come from? Is it company data or industry data?
A: We have a little bit of both. For the majority of it, we want to make sure we are using your data so we work with your incident response team or similar to try to figure out what are those activities that you are going to do to respond to secondary stakeholders, for example, credit monitoring.
Now, we do also have industry data. When it comes to fines and judgements, we have a partnership with Advisen, where we are able to get information around a variety of different publicly available cases.
You may not have a lot of data, and we have industry experience, working with a variety of clients across a variety of different organizations and fields. We’ve been able to come up with a base starting point if you don’t have anything. But we tend to find that organizations have at least some data to work with.
Q: How do we help clients organize and make their data more useful?
A: When the [client] onboarding process happens, we go through and help you figure out what are those things you do for secondary stakeholders, and we walk you through that in a guided approach, and ultimately help you figure out what are the calculations that need to happen in order to get you to reasonable values.
Q: What do we mean by secondary stakeholders?
A: Those are anybody outside your organization. Those can be customers, regulators, the media, including auditors, as well.
Q: What’s an example of impact at the secondary level?
A: Say you have a breach of PII [personally identifiable] information from your organization. So, common things that you need to do are A) notify those customers that you lost their data and B) you more than likely have to provide credit monitoring for those people. So, that’s one value we will account for among other things.
Q: So, now we’re actually doing a risk analysis – how do we use the loss tables?
A: Within the RiskLens Platform, you have the ability to say, I want to leverage the loss tables, I know that this is good data and it’s a very common scenario that we’re doing, like confidentiality-related scenarios, where you have a breach of information. Or scenarios where there may be an outage, an availability type of situation. Those are the main times you would want to leverage the loss tables within RiskLens.
Q: Ultimately, what’s the business value of loss tables – how do they support better decision-making?
A: Because, when we build them out, we go through that exercise, of seeing what are the activities that you are performing, and it’s not a one and done situation – you want to update your loss tables once a year—so the more data you get around those common activities, and the more time passes, the more things you are potentially looking at to monitor, you can get more and more value out of those so that way everybody is using the same information.
They also allow you to form an analysis much quicker. Since you are using that base set of data, you are able to get an analysis out that much faster, which allows the business to make decisions faster, for instance, whether they should implement a new control or do something else.
One of the values of a risk analysis is being able to make those types of decisions and the faster you can get it to them with your actual data, then the better they’ll be.
Q: So, basically, once you start off on quantitative risk analysis, it becomes a process of continual improvement.
A: Absolutely. You want to make sure your data doesn’t become stale. We’ve had examples where some of our organizations have had the unfortunate event of a breach actually happened. From the organization’s perspective that’s not very good. From a risk analysis perspective though, that’s a really good data point. You’ve had to spend that money and you’re able to provide better information going forward and prepare for those types of events.
Q: School of hard knocks. Well, thanks for explaining this, Tim.