“All models are wrong, but some are useful.” By those words, professor and statistician George Box reminds us that models, including the FAIR™ Model, are approximations of reality. They’re attempts to tell the truth about how the world works in a way reducible to symbols and numbers and operators. But there are degrees of “wrongness.” How the model chooses to approximate reality is the key -- some will get it less wrong and in ways that are useful for the decisions at hand. FAIR is one of those models.
The Loss Magnitude side of the FAIR model attempts to answer the question “How much money might we lose each time this loss event occurs?” It includes two phases of loss, denoted as Primary Loss and Secondary Loss.
Primary Loss refers to losses incurred from the loss event itself, the results of the threat actor successfully impacting the asset. This also includes activities that the primary stakeholder (that’s you!) chooses to do in the wake of the loss event, such as investigating the incident or replacing a damaged server.
Secondary Loss refers to losses incurred from the reactions of outside parties to the loss event; we call those outside parties “secondary stakeholders,” the losses they cause “secondary losses,” and the percentage of primary loss events that will involve any secondary losses “secondary loss event frequency.”
We use secondary loss event frequency to capture the fact that secondary losses might not happen every single time a loss event occurs. Due to the fact that these losses are caused by external parties, we cannot always know for certain if they will occur. We account for that uncertainty using secondary loss event frequency.
An example of this is an encrypted database with PII being breached. If the key is not compromised as well, generally we would not expect to see secondary stakeholder reactions. However, if the key is compromised, then the data is in now in plain text in the hands of a bad guy and that dramatically changes the likelihood we will see fines and judgments, be required to notify affected parties, provide credit monitoring, etc. We use secondary loss event frequency to capture the probability that those loses do occur.
If we erroneously capture secondary losses as primary losses and those secondary losses were not guaranteed to occur (i.e. 100% secondary loss event frequency), we have just overstated our loss exposure.
Understanding the distinction the FAIR model makes between primary and secondary, understanding how this simplified view of the world is constructed, helps analysts put anticipated manifestations of loss in the right place in the model and equations they’re using to forecast future losses (see the six forms of loss in FAIR analysis in the chart to the right).
The key is in understanding who is causing the loss to you — the threat actor by harming your asset or you by responding to the event? Or outside parties who cause loss to you after the fact by responding to the event that unfolded? Primary losses come from the threat actor carrying out the loss event and from our own reactions to that event. Secondary losses come from the reactions of secondary stakeholders.
This topic directly relates to a question the RiskLens Academy recently received from a learner in the Fundamentals course:
“How are Fines secondary when they directly hit the organization’s bottom line?”
Indeed, isn’t all loss “direct” if “direct” means “coming from the organization’s coffers?”
“Direct” and “indirect” costs/losses aren’t terms that are defined in the FAIR standard. They aren’t necessary or helpful in determining if a loss is primary or secondary, as the question demonstrates. Fines and judgments are predominantly secondary because they are imposed upon the organization/owner of the asset/primary stakeholder by outside parties like judges, juries, government agencies, etc. (secondary stakeholders.). They are losses forced upon the organization in reaction to the loss event by outside stakeholders and are therefore secondary losses.
A related question recently was asked:
“Who is considered a secondary stakeholder? Where do I draw the line between the two?”
Most commonly, secondary stakeholders are clearly separated from the organization (primary stakeholder) itself. Examples may include:
Employees – Relevant if the loss event involves their personal information/well-being/property (i.e. required to notify affected employees of HR database breach, potential employee settlements)
Customers – Relevant if the loss event involves their personal information/ability to access products or services (i.e. required to notify affected customers in sales PII database breach, potential loss to future revenue as a result of reputation damage, etc.)
Regulators – Relevant if the loss event infringes upon relevant regulations (i.e. GDPR requirements, insufficient controls to prevent loss event identified during investigation, etc.)
Media – Relevant if media coverage is involved in the reaction to the event occurring. Specifically, any losses/money spent associated with responding to interviews, press conferences, etc.
All of the above losses are caused by the event impacting outside parties and their resulting reactions.
What does this look like for a government agency? Is the agency the primary stakeholder? The department? The Government? Typically, the agency or department that owns the asset would be considered the primary stakeholder. Any agencies/departments above and around the primary stakeholder (including the big G government) would may be considered secondary stakeholders in the analysis, as well as employees, constituents, etc.
The distinction between primary and secondary loss isn’t about “direct” vs. “indirect” costs/losses, it isn’t about the chronology of whether the loss occurs “now” or “later,” however those terms are defined, it’s a matter of who is causing the loss to you. While there are no FAIR Police roaming the halls of Enterprise Risk Management and Cyber Risk programs, it’s important that analysts consistently and accurately use the FAIR model so that analyses are internally comparable.