The most common question I’m asked about quantitative risk analysis is "where do you get data?" That’s akin to asking a surgeon "where do you make the incision?"
Any surgeon would ask the follow-up question: for which surgery? The closer the surgery is to their specialty, the more precise a response you will get.
My response for "where do you get the data?" is usually to ask "for what analysis?"
I’m an InfoSec Guy. The context for most of my analyses is the cybersecurity risk space. Which means there’s a clear answer for where to go for a treasure trove of data: the Privacy Office.
Privacy officers are on top of coordinating efforts to manage the data sensitivity of a breach. They keep their thumb on the pulse of the costs associated to data events and are up to speed on what’s happening in all arenas of incident response. It’s a natural fit for risk assessment data needs.
My first 5 questions to any privacy officer:
In the overwhelming majority of companies storing, processing, or otherwise transacting sensitive consumer data is equipped with a Privacy Office. As early as possible in standing up a FAIR program (that's our analysis model: Factor Analysis of Information Risk), I want an audience with that office. Here are the first questions I ask a privacy officer:
- Do you have a record of the history of events you’ve participated in; either near-misses or actual breaches?
- Who serves on the committee with you for incident management and how much time per incident do you typically spend?
- What are the most commonly reoccuring events you deal with?
- What sorts of outside resources do you leverage and at what price points?
- When customers are involved or made aware of breaches, how do they usually react?
Most privacy officers will have their bearings on these questions. They are often also aware of cybersecurity incidents that occur and don’t require their involvement, such as some DDoS attacks. The Privacy Office is a phenomenal relationship to have for any risk manager or analyst. When you’re looking for data to describe events you should measure, such as the frequency of those events and their impact on the organization, I can think of no better starting place.