The FAIR model (and the RiskLens risk quantification application built on it) are all about a disciplined way to talk about risk, including being very specific about the types of loss that can result directly or indirectly from or cyber attack or other event. These forms of loss have a very practical use: focussing the attention of the subject matter experts in the organization to supply the right data for a risk analysis. Here's a quick look at the six loss types in FAIR risk analysis, and where to find the most useful data.
Definition: Losses that result from an organization's inability to deliver its products or services.
What does this mean: When completing an analysis, it's easy to think “if this application goes down, X amount of employees would not be able to do their jobs”. True, however it can have much larger impact than just that. If that application is tied to customer ordering, then that also means during the outage customers have the inability to make purchases which would be considered an organizational productivity loss because they would be unable to fulfill customer orders. This is sometimes represented in loss of revenue for the time of the outage.
Notice that the main example that is used here for a Productivity Loss is an availability related scenario, however, there can be other scenarios (Confidentiality or Integrity) where a Productivity Loss would come into play.
Where to find the loss data: The best way to find out if a particular outage would have employee productivity losses would be to sit with the affected groups and document their process to see if an outage of a key system would really cause them downtime.
Definition: Losses that are associated with managing the event itself. This form of loss will be the most common across your analyses.
What does this mean: If you have ever had any type of a Loss Event occur within your organization, I can probably say with confidence that you have probably had what seems to be like endless meeting about the incident. The efficacy of those meetings aside, the time it takes to perform them is a cost you should account for in your analyses, besides the hands-on response work.
Keep in mind you can still have additional response costs even after the incident has been resolved.
Where to find the loss data: The best place for this type of information is your Incident Response team. Regardless of the type of event, they should know the steps they take to respond to it. The Business Continuity Planning team might also be a good data source.
Definition: The costs associated with the replacement of a capital asset or a person.
What does this mean: This one is pretty straightforward. If a server gets damaged, or a building, or you have to terminate an employee, all of these things have the potential for needing to be replaced. They are all costs you would want to account for in an analysis.
Keep in mind you may have some more costs associated with hiring a new person than you may realize. Make sure you work with the appropriate group within your organization to help you identify these costs.
Where to find the loss data : A potential source for how much it would cost to replace the capital asset could be the procurement group. They should know how much each purchased asset costs.
Fines and Judgements:
Definition: Penalties levied against an organization through civil, criminal or contractual actions, usually the result of a Confidentiality related scenario.
What does this mean: To take an ugly example, a company that suffers a data breach of personal information through poor security practices, and then doesn't publicly disclose it (and in a timely way), could be fined by the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), any one of 48 states–and then get sued by customers and have to pay on court judgements.
Where to find the loss data : Often it's available in public records and news accounts, though records on fines by some regulatory agencies may be hard to find. The U.S. Department of Health and Human Services (HHS) publishes fines for HIPAA violations and the FTC often publishes fines for PII data loss. Advisen, a vendor of information for the insurance industry, is an authoritative source on fines and judgements.
Definition: Losses associated with a diminished competitive advantage.
What does this mean: Your competitor is able to get better at what they are doing because the loss event at your organization. This tends to be generally related to Intellectual Property loss scenarios. This tends to be one of the harder forms of loss to calculate, however its possible, check out the IP case study.
Keep in mind sometimes an organization might consider this as Reputation damage.
Where to find the loss data: This information can usually be obtained from your marketing or product groups. This is one of the harder forms of loss to put substance around.
Definition: Losses associated with an external actor's perception of your organization whereby its main value proposition is diminished.
What does this mean: Basically, your organization sells less of its main product due to the loss event occurring. This can be a tricky thing to calculate for your organization because it deals with things outside of the organization's control. Also, it's going to be a calculation highly specific to your organization, and likely to require some serious conversation before reaching a consensus.
Keep in mind, don’t let this be the form of loss that holds up your analysis. Sometimes it's perfectly acceptable to not include this in early analyses until the organization has come to an agreement on how to calculate Reputation damage.
Where to find the loss data: Work with your marketing and/or privacy team. Sometimes the best approach is to just get the conversation started.