Introduction to FAIR

The previous section introduced the factors that drive the probability of loss events occurring. This section describes the other half of the risk equation – the factors that drive loss magnitude when events occur.

Unfortunately, loss is one of the toughest nuts to crack in analyzing risk. Various approaches have been tried, with varying degrees of success, but none have gained widespread use or acceptance. As a result, we often exclude loss considerations altogether, we only cite the worst-case possibilities, or we try to be precise in our calculations. Excluding loss from an analysis means that we aren’t analyzing risk (by definition, risk always has a loss component). Citing worst-case possibilities alone removes the probabilistic element from our analysis (by definition, risk is a probability issue). Trying to be precise is generally a waste of time because of the inherent complexity within loss, and because decision-makers generally only need a ballpark idea of the loss probabilities. Their experience with other forms of risk (investment, market, etc.) has taught them that actual losses can’t be predicted with any precision.

• There are a number of reasons why it’s difficult to evaluate loss probability, for example:
• It’s very difficult to put a precise value on assets at risk
• Assets generally have more than one value or liability characteristic
• Loss can take many forms
• A single event can result in more than one form of loss
• Complex systemic relationships exist between the different forms of loss
• Many factors determine loss magnitude

Making matters even more difficult in the information risk environment is the fact that we have very little good data regarding loss magnitude. Many organizations don’t perform loss analysis when events occur, and those that do track loss often limit their analyses to the ‘easy stuff’ (e.g., person-hours, equipment replacement, etc.). Furthermore, without a standard taxonomy it’s very difficult to normalize the data across organizations.

Before we go any farther, my experience has been that loss from information security incidents generally has a distribution that looks something like the following:

In other words, there are far more events that result in loss at the low end of the magnitude spectrum than there are at the high end of the spectrum. For example, individual virus incidents, unauthorized use of systems to serve up MP3 files, even password cracking and web site defacement, rarely result in significant loss. The question we have to ask ourselves is, “Why?” What factors are responsible for this? Clearly some of these events have significant potential for harm, but if we compared the actual loss from two similar events – one in which minimal loss occurred, and another where substantial loss occurred – what factors determined the difference? In order for us to make reasoned estimates of loss, we have to understand these factors.