United Arab Emirates FAIR Chapter Chair Osama Salah has been puzzling over the most effective way to use Secondary Loss (incurred by shareholders, customers, etc.) in the FAIR Model—join the discussion in the comments section of this post or on the LINK discussion board (membership required).
FAIR distinguishes between primary and secondary losses by considering primary and secondary stakeholders. The primary stakeholder is “The person or organization that owns the asset at risk.” The loss event affects the primary stakeholder and results in losses or primary losses.
Secondary Loss, occurs as a result of secondary stakeholders reacting negatively to the loss event. These secondary losses will also affect the primary stakeholder. If a secondary stakeholder acts against the interests of the primary stakeholder, then in the eyes of the primary stakeholder, the secondary stakeholder is now a threat.
The Open Group OR-RT document mentions, “We may call them ‘secondary stakeholders,’ but they are most accurately viewed as ‘secondary threats’ when they begin acting against our assets.” In the context of the risk analysis, what matters most is that we are dealing with another “threat.”
Working with these definitions can become tricky and a juggling act. For example, if you are a public traded company, your stakeholders are your shareholders, represented by the board of directors. What if some directors or shareholders sue the company? Now some are stakeholders, and some are stakeholders and threats.
It does not matter if a threat is a stakeholder, customer, shareholder, family member, best friend, etc. Understanding their motivation and intent matters, but not the classification into primary or secondary stakeholders. That is, so to say, secondary or irrelevant.
One aspect I like about the FAIR model is that you can intuitively figure out how it works by just looking at it. And when I look at it, I don’t see the model dealing with primary or secondary stakeholders. Instead, the model tells me that the difference between primary and secondary losses is their frequency (loss types aren’t part of the model itself).
Thus, it isn’t a “story” of stakeholders but a “story” of different frequencies. Some losses (primary) will occur in every loss event, and some losses (secondary) will occur only in some of those loss events.
For example, if we are considering a ransomware scenario with an estimated frequency of 5 to 10 per year, every occurrence will have some productivity loss incurred in the estimated Loss Magnitude range. However, not every loss event is expected to include litigation-related losses. We expect that sometimes, no one would be suing us at all. So maybe we expect to be sued in only 1 to 2 loss events (out of 5 to 10)
And that’s why secondary losses are estimated with a different frequency. That frequency has to be less than the primary loss event frequency.
Now I talked about secondary loss event frequency and meant a frequency. FAIR defines secondary loss event frequency but measures it as a percentage. There is some merit in thinking of SLEF as a percentage as it does establish a relationship with PLEF. However, solely for reasons of consistency, I believe it should be measured as a frequency.
Another reason is that thinking of a percentage might imply a single number instead of a range. So, if SLEF is “the percentage of primary events that have secondary effects”, what exactly is it referring to i.e. min, ml or max? It just feels more natural to stick with a frequency as it is easier to translate them into simple questions to discuss with the subject matter experts. For example, we would ask, “We have estimated 5 to 10 loss events, most likely 7. What conditions would have to exist for us to be sued? How often do you believe we might be sued?”
I would be interested to know your thoughts on primary and secondary loss event frequency and on how to measure SLEF (percentage vs. frequency). Please share your thoughts in the comments section or the LINK discussion board for FAIR Institute members.
Understanding “Secondary Loss”, the Price of a Data Breach (RiskLens Blog)