It happens, and in this case, it cost Boeing the fees for two years of paid credit monitoring for the affected employees, plus the time of the forensic team to make sure this was all an innocent mistake—but a serious data breach, nonetheless.
Whether due to a vindictive employee or a careless one, the risk of email with confidential information going wrong has a fairly good probability.
Here’s how I would analyze the risk for an email mis-direction, using the FAIR model (follow along with the model here).
Email is not the risk, though you might have seen it on Top 10 Risk lists. In the FAIR model, we define risk as a “loss event”. Scoping is defining that loss event.
There are 3 main elements to define in scoping:
The Asset at Risk
Something that may be affected, either by diminished value or by creating a liability for the owner. Applying that lens, it’s the data in the email that’s the asset here.
The Threat Actor
We always focus on the probable vs the possible; most probable here must be an internal actor. A threat does not have to come with a malicious intent. In FAIR, a mistaken act can create just as real a threat effect.
The Effect
In other words, what you are worried about happening. The three effects types of effects are confidentiality, integrity, availability (C-I-A). In this case, the effect would be “C”, a loss of confidential information.
Now that we have defined the loss event, we’re ready to dig in to the analysis by gathering data from experts within the organization (for instance, the incident response, business continuity, or disaster recovery teams).
The FAIR model provides the structure for our research. For any scenario, we need to understand the potential magnitude (ultimately, the cost in dollars) and frequency of losses, based on previous experience within the organization and what we know of industry norms.
I would question the subject matter experts along these lines:
Loss Event Frequency
Loss Magnitude
Ask the experts for accurate cost data, based on known costs, in two categories:
We’re ready to enter the data gathered into a spreadsheet or the RiskLens application and use a Monte Carlo function to simulate a vast number of outcomes. The output is a smooth curve graph showing a range of potential losses in dollars on an annualized basis.
Final step: Compare the range to your appetite for risk and decide if risk controls are worth the investment. To protect against email-challenged employees exposing confidential information, controls might include a password-protected file sharing site or multi-factor login.
Learn more:
Ransomware Risk: Setting Up a FAIR Analysis
Secrets to Gathering Good Data for a Risk Analysis