In a recent survey, information security professionals identified reputational damage as the most costly form of loss from cyber events. But is it really? In this first post in a series I’ll lay some groundwork that should help us evaluate the potential impact of cyber event-related loss of reputation.
What, exactly, are we trying to measure?
A definition for reputation that I’ve found useful is “The perceived value vs. liability proposition of a person or entity.” The premise being that how we view anything or anyone is always within the context of their value (whether material or emotional) vs. their potential liability to us (whether material or emotional). I haven't been able to think of a situation where this construct doesn't seem to fit for reputation loss.
With that as a starting point, reputation damage for an organization would be something along the lines of, “Stakeholder belief that an organization's value has decreased and/or that its liability has increased.” However, because reputation is fundamentally a stakeholder’s personal and subjective point of view regarding value/liability, there isn’t a meaningful way to measure it directly.
This isn’t a problem from a risk measurement perspective though, because we’re interested in the effects of damaged reputation rather than simply whether stakeholder beliefs have changed. This is why the FAIR definition for reputation damage is: Losses resulting from stakeholder belief that an organization's value has decreased and/or that its liability has increased.
With this as a foundation, reputation damage for commercial organizations is likely to materialize in one or more of the following ways:
- A loss of market share and/or slowed growth (the consumer stakeholder)
- A reduction in stock price (the investor stakeholder)
- An increase in the cost of capital (the lender stakeholder)
- Increased costs associated with acquiring and/or retaining personnel (the employee stakeholder)
- Business limitations imposed by regulators (the regulator stakeholder)
In other words, defining measurement parameters for reputation damage boils down to identifying who the relevant stakeholders are and how a change in their beliefs regarding an organization would materialize as harm to the organization. This approach will apply regardless of what kind of organization we’re concerned with (commercial, non-profit, government, etc.)
Impossible to measure?
I've encountered many in our field who claim that reputation damage can’t be measured. When pressed on the matter though, it almost always turns out that what they mean is that it can’t be measured precisely, in large part because the effects could play out for years into the future.
While it is true that, a) the reputation effects of an event can, conceivably, linger long into the future, and b) the effects (even the short term effects) can’t be measured precisely, that isn’t the same thing as “can’t be measured.” This comes back to the too-common tendency to insist on the pipe dream of high precision. The fact is, accuracy is far more important. If you’re not sure of the difference, here are some resources that might be helpful:
Life's Uncertainties and the Risk Analyst
Here’s the key though — if reputation damage from an event is severe (as is commonly professed) then the evidence should be clear and measurable, probably for more than one of the stakeholders identified above.
Wrapping up Part 1
This groundwork should make it feasible for us to evaluate whether reputation damage is the most significant form of loss from cyber events or, perhaps more importantly, in what situations it might be. As you’ll see in a following post in the series, it will also help us to evaluate our own organization’s exposure to reputation damage. Stay tuned!