The FAIR™ model (and the RiskLens risk quantification application built on it) are all about a disciplined way to estimate risk, including being very specific about the types of loss that can result directly or indirectly from a cyber attack or other event. These forms of loss have a very practical use: zeroing in on the right data inputs for analysis.
The RiskLens cyber risk analytics platform focusses and automates the data collection side of analysis with data helpers, pre-packaged sets of data drawn from industry data sources or RiskLens’ experience with clients, carefully curated and enhanced by the RiskLens data science team for completeness, credibility and relevance to specific industries (healthcare, finance, etc.).
Customers can choose to forgo the data helpers completely and collect data to use for direct estimation, though they typically choose to focus on data selection over data collection and use the provided data helpers as a starting place. As they learn more about their environment, the data helpers can be further refined and tuned by the customer, providing additional precision.
Here’s a look at the six loss types in FAIR risk analysis, and some of the most useful data.
1. Productivity Loss
Definition: Losses that result from an organization’s inability to deliver its products or services.
What does this mean: When completing an analysis, it’s easy to think “if this application goes down, X amount of employees would not be able to do their jobs”. True, however it can have much larger impact than just that. If that application is tied to customer ordering, that also means during the outage customers could not make purchases, creating an organizational productivity loss because staff would be unable to fulfill customer orders. This is sometimes represented in loss of revenue for the time of the outage.
Notice that the main example here is an availability related scenario, however, there can be other scenarios (Confidentiality or Integrity) where a Productivity Loss would come into play.
Data helpers provide:
Support for estimating productivity (in ranges) loss based on these variables:
- Numbers of employees with productivity impacted
- Percentages of employee productivity affected
- Outage duration (mean time to recover [MTTR])
2. Response Loss
Definition: Losses that are associated with managing the event itself. This form of loss will be the most common across your analyses.
What does this mean: If you have ever had a cyber or technology loss event occur within your organization, you have probably held what seems to be endless meetings about the incident. The efficacy of those meetings aside, the time it takes to perform them is a cost you should account for in your analyses, besides the hands-on response work.
Keep in mind you can still have additional response costs even after the incident has been resolved.
Data helpers provide:
Primary Response
- An estimate of loaded (including benefits) hourly employee wage, used with an estimate of response-team person hours, to calculate the financial value of the investigation
Secondary Response
- General estimations of external stakeholder notification, response, and management cost, including customer/user notification, credit monitoring, litigation, external audits, and more based on the type of event and response required
Data may be supplemented with information from your Incident Response, Business Continuity Planning and Legal teams.
3. Replacement Loss
Definition: The costs associated with the replacement of a capital asset or a person.
What does this mean: If a server or an office gets damaged or you have to terminate an employee, all of these things have the potential for creating replacement costs. Keep in mind you may have more costs associated with hiring and onboarding a new employee than you may realize.
Data helpers provide:
- Capital asset replacement costs in ranges.
- Employee replacement – HR and recruiting cost ranges.
Data may be supplemented with information from Procurement and HR teams.
4. Fines and Judgments
Definition: Penalties levied against an organization through civil, criminal or contractual actions, usually the result of a Confidentiality related scenario.
What does this mean: To take an ugly example, a company that suffers a data breach of personal information through poor security practices, and then doesn’t publicly disclose it (and in a timely way), could be fined by the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), or any one of the states–and then get sued by customers and have to pay on court judgements.
Data helpers provide:
- Fines, judgements and contractural costs – based on Advisen historic data extensively refined by the RiskLens data science team – for PCI, PII and PHI data access or disclosure.
5. Competitive Advantage
Definition: Losses associated with a diminished competitive advantage.
What does this mean: Your competitor is able to get better at what they are doing because of the loss event at your organization, often for intellectual property loss scenarios. This tends to be one of the harder forms of loss to calculate. An organization might also consider this as reputation damage.
Data helpers provide:
>> General ranges of lost revenue due to competitive advantage loss. Examples: The projected annual revenue attributed to the product or service impacted by the intellectual property theft or the percentage of attributed revenue expected to decrease due to the intellectual property theft
Data may be supplemented with information from your Marketing or Product groups.
6. Reputation Damage
Definition: Losses associated with an external actor’s perception that the value proposition of your organization has been diminished.
What does this mean: Basically, your organization sells less of its main product due to the loss event occurring. This can be a tricky to calculate because it deals with things outside of your organization’s control. Also, it’s going to be a calculation highly specific to your organization, and likely to require some serious conversation before reaching a consensus.
Don’t let this form of loss hold up your analysis. Sometimes it’s perfectly acceptable to not include this in early analyses until the organization has come to an agreement on how to calculate Reputation damage.
Data helpers provide:
- Lost future revenue in ranges due to customer churn or attrition, for instance, based on customer lifetime value, using data specific to the organization, collected from Marketing or Privacy teams.