The FAIR Institute introduced in 2023 the FAIR Materiality Assessment Model (FAIR-MAM ™) a step change in quantifying loss magnitude for FAIR cyber risk analysis. FAIR-MAM enabled analysts to gather loss data at a granular level that ensured a high level of accuracy – and store it in an always available repository, ready for reporting the impact of a data breach or other loss event in a defensible format that could stand up to scrutiny by regulators.
Author Erica Eager is the creator of FAIR-MAM
We’re now introducing a tool to help further sharpen loss data for analysis: the Financial Impact Questionnaire (FIQ). (See the FIQ here.)
About FAIR-MAM
FAIR-MAM offers a bottom-up evaluation of loss magnitude specific to an organization. It organizes cost categories into 10 groups (Information Privacy, Proprietary Data Loss, Business Interruption, Reputation Loss, etc.) with many subcategories (for Reputation, that includes Market Value, Customer Retention, Employee Churn). See the model here.
To approach FAIR-MAM, organizations do the basic scoping of FAIR analysis, identifying their key assets or business resources (a customer database, a revenue-producing process, etc.) and mapping the types of attacks likely to target them.
Data for FAIR-MAM comes from industry benchmark data and sources internal to your company – and that’s where the Financial Impact Questionnaire (FIQ) comes in.
WATCH A VIDEO:
Introducing FAIR-MAM™ - A Comprehensive Approach to Loss Modeling in FAIR™
Loss Magnitude Data Gathering with the FIQ
The FIQ questions guide you through data gathering on the loss types that can’t be benchmarked. We tried to think through all the business resources that can generate losses in the event of a cyber incident. A few samples show the level of granularity in the FIQ:
Personally Identifiable Data
Do you process PCI transactions for PCI DSS members?
>>If yes, how many PCI transactions do you process annually for PCI DSS members?
>>For how many unique record holders do you store or archive PCI data processed by PCI DSS members?
Business Processes
What is the total annual revenue from Business Processes impacting Third Party's revenue?
>>Are there contractual penalties for revenue interruption from one or more Business Processes Impacting Third Party Revenue?
Cash
What is the total value of Cash and Equivalents accounts you manage that are owned by customers?
>>What is the total number of customer account holders that would require breach notification if Cash and Equivalents were stolen from their accounts?
>>What is the total number of customer account holders that would be offered credit monitoring and ID protection after Cash & Equivalents were stolen from their accounts?
Key FAIR-MAM Use Cases
1. Proactively Calculate and Track Risk before an Incident Becomes Material: Model the estimated financial losses from a company’s top cyber risk scenarios.
2. Post Incident Materiality Assessment: Estimate the cost of an attack on any of the company’s Business Resources from any type of risk scenario
3. Post Incident Materiality Tracker: Create a dynamic model that automatically adapts to new forensic investigation and operational inputs.Source: FAIR-MAM White Paper
______
Asking the Community to Help
See the FIQ spreadsheet here. We’re asking the FAIR Community to help us improve and maintain the FIQ as a resource to assist FAIR practitioners in gathering the types of data that are unique to their organizations and vital for producing high-confidence FAIR analysis. Contact Us with your ideas!
—-----
Visit How Material Is That Hack? FAIR-MAM in action, breaking down the losses from data breaches in the news.
