Any surgeon would ask the follow-up question: for which surgery? The closer the surgery is to their specialty, the more precise a response you will get.
My response for "where do you get the data?" is usually to ask "for what analysis?"
I’m an InfoSec Guy. The context for most of my analyses is the cybersecurity risk space. Which means there’s a clear answer for where to go for a treasure trove of data: the Privacy Office.
Privacy officers are on top of coordinating efforts to manage the data sensitivity of a breach. They keep their thumb on the pulse of the costs associated to data events and are up to speed on what’s happening in all arenas of incident response. It’s a natural fit for risk assessment data needs.
In the overwhelming majority of companies storing, processing, or otherwise transacting sensitive consumer data is equipped with a Privacy Office. As early as possible in standing up a FAIR program (that's our analysis model: Factor Analysis of Information Risk), I want an audience with that office. Here are the first questions I ask a privacy officer:
Most privacy officers will have their bearings on these questions. They are often also aware of cybersecurity incidents that occur and don’t require their involvement, such as some DDoS attacks. The Privacy Office is a phenomenal relationship to have for any risk manager or analyst. When you’re looking for data to describe events you should measure, such as the frequency of those events and their impact on the organization, I can think of no better starting place.
Related:
You Have More Data Than You Think
What Belongs in a Risk Register?