What’s the same about a lost company cell phone, a web application attack and a database breach? Most information security personnel will automatically jump to the realization that they are all forms of confidentiality breaches, which is absolutely correct. A company cell phone could be housing sensitive corporate data, while a database could be home to all of an organization’s sensitive customer records. Yet, what most information security personnel fail to realize is what else these events have in common.
I’ll give you a hint…an organization feels the pain, to varying degrees in roughly the same ways. This is to say that how the loss materializes (i.e. how the organization will spend its time and money) will roughly be the same regardless of which of the above events occur. Most organization’s will incur internal response costs investigating and remediating what has occurred. They will also incur external response costs managing and mitigating the responses from customers, regulators, business partners, etc.
Depending upon how bad the incident is, some organizations may also experience a loss of future revenue. Coincidentally, one of the nice things about FAIR is that it breaks down how an organization will feel the pain from an event, otherwise known as the six forms of loss as outlined in the FAIR standard. They are Productivity, Replacement, Response, Fines & Judgements, Competitive Advantage, and Reputation.
Now that we know what’s the same about the above events, what’s different about them? If you said the resulting impact, you’ve earned yourself a gold star. Although loss will materialize in roughly the same forms, the size of the loss will vary depending upon the characteristics of the asset. Going back to the example mentioned previously, the resulting impact from a lost company cell phone with just a handful of sensitive corporate emails will be considerably less than a database breach that houses millions of sensitive customer records.
So now that we’ve established the similarities and differences among the various information security events an organization may face, how do we operationalize this information? The answer is through loss tables. Loss tables provide two things that should be important to any risk analyst:
Loss tables efficiently aggregate loss data in one location and efficiently access the data during an analysis.
Loss tables also ensure that the same loss data is used regardless of who is conducting the analysis and what scenario you’re analyzing.
As part of the RiskLens application and onboarding services, we help our clients develop a set of loss tables through the use of industry and internally aggregated data to ensure the results of any risk analysis accurately reflect their organization. Schedule a demo with our team today to figure out how we can help you.