When working on the Loss Magnitude side of the FAIR risk model–and filling out lists for the standard six Forms of Loss-- there are some types of loss easy to overlook or too hard to get data for. In this post my aim is to share tips on some of these “less obvious losses” associated with 4 of the 6 standard forms on the model.
See the FAIR Model on one page.
Definition: Loss that results from an operational inability to deliver products or services
Don't Forget: Analysts often focus productivity loss on employee productivity. While this is correct, a much larger consideration should be given to organizational productivity (e.g. the ability of the organization to deliver on its value proposition). If a key system that processes customer orders goes offline - the inability to capture revenue during that outage would be a productivity loss.
Tip: Be careful with this form of loss. Ensure you account for only revenue actually lost, not just delayed or deferred.
Definition: Loss associated with the costs of managing a loss event, the most common form of loss.
Don't Forget: Meetings, many meetings. Organizations often underestimate the amount of soft cost associated with internal meetings, collaboration that would occur when any significant event materializes.
Tip: Leverage breach table-top exercises or other significant security events as reference for estimating the number of personnel involved and the extent of meetings.
Definition: Loss that results from an organization having to replace capital or human assets
Don't Forget: Employee replacement. If the threat is a malicious insider, you will likely fire the offender. Replacing an employee (job posting, interviewing, training) plus lost productivity as the new hire gets up to speed is easily within six figures – not as trivial and still an often unconsidered replacement cost.
Tip: Speak with hiring managers to understand the process and time allocated to finding and bringing in new resources.
Definition: Fines or judgments levied against the organization through civil, criminal, or contractual actions
Don't Forget: This is a source of loss that often has publicly available data. But when it comes to fines issued by regulators, industry data is often (not always) available. Some sources to try:
- Advisen - A treasure trove of publicly available data categorized and organized.
- HHS publishes their fines over HIPAA data.
- The FTC often publishes their fines related to PII data loss.
Other legal reputable blogs publish fines data from various other enforcement actions.
Tip: Ensure the sources of any industry data are reputable. We recommend looking to the actual source of the fine (regulatory body) or other reputable sources (Advisen).
Final Tip: I always encourage stakeholders to let me know if there are other loss considerations that I may not being be aware of when performing an analysis. These open-ended discussions often lead to continuing to learn about additional considerations related to the six standard forms of loss.
Do you have any interesting loss considerations to share?
How Expected Loss Can Be a Misleading Estimate of Risk