What should FAIR analysts make of these findings? Jack Freund, PhD, co-author of the FAIR book, a FAIR Institute fellow and Head of Methodology at VisibleRisk, collaborated with Cyentia on the report and gave this advice:
Q: What is the practical use of the data here which are, to some extent, about black swans, low frequency, very high impact?
A: If anything, I’ll say it’s a refutation against the notion that these events are black swans. Rare though they may be, they are certainly foreseeable.
This is the kind of thing that you need when you’re trying to build your loss ranges to account for those 95thpercentile or near worst-case kind of things. The report looks at all events with an aggregate loss of over $20 million dollars. So, this is definitely within striking range for a lot of organizations but perhaps not high frequency events.
Q: How does the report help with building out loss ranges?
A: We purposefully categorized the losses using FAIR terminology. You’ll see things like response cost, productivity, fines and judgments, so it’s tailor-made for risk analysts who are looking to better inform their FAIR analyses.
Q: What did the report find in terms of materiality, and what companies reported on?
Now, the interesting thing is, the size of a fine alone can be dwarfed by companies’ materiality based on a revenue benchmark. The $5 billion Facebook fine, is only 7.2% of revenue.
A couple notches down on that list, you have an Equifax fine of $1.7 billion, which is 48.2% of revenue for the year it was assessed. So, for a lot of organizations, looking in terms of percent of revenue is a good way to go on materiality.
One feature I like to call out in this report is that some of the more costly incidents actually happened because they were involved in cryptocurrency exchanges: lost wallets and stolen cryptocurrency. It’s a reminder to make sure loss events that you’re incorporating into your range estimation filter out the activities you’re not into.
Q: The study showed that a surprising amount of this activity was generated by nation-state actors. Should lower-profile companies be factoring more in their calculations for nation states as threat actors?
A: I don’t know that we can say for certain that these are targeted nation-state attacks. I think these are broad-based attacks. Ransomware events run by North Korean state actors or similar are more opportunistic.
With FAIR, we do have a way of differentiating between opportunistic attacks vs targeted attacks. So, while the skillset and the resources that they can bring to bear in the threat capability side will be significantly increased, you’re also going to see a change in frequency, as you move from targeted attacks to opportunistic attacks, so I think that changes the calculus a little bit on the risk side for thinking about those types of threat actors.
Q: What’s your advice on how to talk to boards of directors about the likelihood of these kinds of events?
A: It’s important, as always, to be careful you are not playing Chicken Little. Referencing these types of events is different than referencing most likely events. Using a FAIR loss curve with a mode [or most likely] and a 95thpercentile point is helpful to characterize the overall type of things that could happen.
Are there ways that we can reduce the likelihood of that happening by increasing our security hygiene? Are there ways that we can help our balance sheet absorb that kind of loss when it does happen, maybe once every 10, 15 or 20 years? Do we buy cyber insurance to help offset that? Do we set aside money for a rainy day?
These things focus on decision making that CISOs want to involve their team and their leadership with. You shouldn’t manage your daily risks based on that 95th percentile, but it’s important to have perhaps a second planning session with key people in your organization to think about worst-case examples.
Related:
Drawing FAIR™ Conclusions from Cyentia’s Information Risk Insights Study (IRIS)
Podcast: Jack Freund Explains NIST CSF and FAIR Integration