‘Low’ loss exposure scenarios are often cause for celebration, or at least an exhausted sigh of relief from the CISO who is already juggling the remediation plans of countless other higher risk scenarios. Before sliding that scenario to the land of forgotten scenarios at the bottom of the risk register, here are three things you should consider:
1. What is the driving factor for the low loss exposure?
Annualized Loss Exposure (ALE) takes into consideration both the frequency and magnitude of the event, meaning that either (or both) can be a driver for the minimal amount of risk you are seeing.
It is important to understand which side of the model is driving the low loss exposure so that you know what areas to continue to monitor. This is especially true if the low loss exposure appears to be driven by the frequency side of the model as a slight change in the landscape can lead to significant increases in loss exposure.
2. Are you good or lucky?
It is important to be mindful of scenarios that have a low Threat Event Frequency and high Vulnerability. These are what I like to refer to as “pure dumb luck” scenarios, as in it is pure dumb luck that nobody has tried to target your asset because they would have likely succeeded. Though I happen to like my label, my FAIR colleagues would call this an “Unstable Condition.”
If this is the case, a sudden onslaught of threat activity may lead to a significant increase in loss exposure. Be sure to continuously monitor this type of condition and consider implementing additional controls if you anticipate an influx of threat activity.
An example of an Unstable Condition is a DBA having unmonitored access to Personally Identifiable Information (PII). It is highly unlikely (we hope anyway) the DBA will attempt to act maliciously and steal the information, but if he/she did try, they would be successful.
3. Do you have backup?
The opposite of the “pure dumb luck” scenario is the “cross your fingers” scenario. (I know what you’re thinking – why didn’t Jack Jones ask my opinion when naming the risk qualifiers…). A “cross your fingers” scenario is when you are experiencing a high volume of attacks (Threat Event Frequency) but few or no attempts are successful due to the control you have in place (Vulnerability). This is known as a “Fragile Condition.”
If you are dependent on a single control to prevent attacks from being successful, then I suggest you keep your fingers crossed that the control does not fail. If it does, that high volume of attempts will immediately become a high volume of Loss Events which will dramatically impact your loss exposure. Any event in which there is a single preventative control in place to can be an example of a Fragile Condition.
Learn more:
How to Model Controls in a FAIR Risk Analysis
Join one of the three "Most Important Industry Organizations of the Last 30 Years" (according to the SC Media Awards) – become a member of the FAIR Institute.
