The probable magnitude of loss resulting from a threat action.
An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization. For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.
Primary Loss Magnitude (PLM) - Loss that occurs directly as a result of the threat acting against the asset.
Primary loss is based on the direct nature of the asset. How much will it cost to replace? How much will it cost to get the whole IT department involved to stop this DoS? Take into account the Duration and Effect of the attack.
Secondary Loss Magnitude (SLM) - Secondary Loss is predicated on Primary Loss Events. Frequently we see the last three Forms of Loss and sometimes Response more regularly associated with Secondary Risk (though this is certainly NOT a rule).
If you are having trouble determining if a calculated loss is a primary or secondary loss. You can tell if it is a secondary loss by the fact that if it does not ALWAYS occur as a result of the primary threat acting against the primary asset, then it’s secondary loss.
Six forms of loss are defined within FAIR: productivity, response, replacement, fines/judgments (F&J), competitive advantage (CompAdv), and reputation. In addition, there are also three Loss Event Types that help describe risk more generally; confidentiality, integrity, and availability.
- Productivity: the reduction in an organization’s ability to generate its primary value proposition (e.g., income, goods, services, etc.)Productivity Loss typically reflects one or both of the following:• The operational inability to generate revenue (if a commercial enterprise). For example, the website of an organization that sells products over the Internet goes down and they lose sales as a result. Note, however, that in many instances revenue may be delayed rather than lost, depending on the likelihood of customers taking their business elsewhere.• The cost of wages (etc.) being paid to personnel who aren’t able to perform their tasks. For example, telecommunications lines go down resulting in call center representatives being unable to take calls. For many scenarios in many organizations it appears that this form of loss is not significant compared to other losses that may be involved (e.g., reputation, etc.). If the difference is large enough it may not make sense to spend the time estimating diminished personnel productivity.Productivity loss is usually derived by estimating the potential duration of outages (given controls that are in place) and multiplying that times either the revenue per hour (for revenue losses) or loaded hourly wages (for full employee work stoppage).Notes:
• Losses associated with reduced market share from reputation damage, etc., do not fall into this category. The key point to remember is that productivity loss is associated with operational constraints.
• For many employees an outage of one system or application only limits their ability to perform specific work. In many cases they are able to fulfill other responsibilities. As a result, the net effect on productivity is reduced or eliminated. To reflect partial employee productivity loss simply estimate the percentage of reduced productivity and multiply that times duration and loaded hourly wage.
• Productivity loss rarely applies to Secondary Loss. Example:
• Recovery time for application X is expected to be between .5 and 2 hours given the recovery processes and technologies that have been implemented.
• Application X generates between $50,000 and $500,000 (peak before holidays) revenue per hour.
• The expectation is that between 60% and 80% of customers will go to a competitor if they are unable to access application X.
• Minimum revenue loss per outage is expected to be $15,000 (.5 x $50,000 x 60%)
• Maximum revenue loss per outage is expected to be $800,000 (2 x $500,000 x 80%)
- Response: expenses associated with managing a loss event (e.g., internal or external person-hours, logistical expenses, etc.)What are some examples of Response costs?
Response costs are those expenses associated with managing a loss event. It’s important to keep in mind however, that Response costs commonly occur for both Primary and Secondary loss. Examples of Primary Response costs include, but aren’t limited to:• The person-hours spent to investigate an event • The time spent by personnel in meetings to manage the event • Forensics analysis costs • Notification costsExamples of Secondary Response costs include, but aren’t limited to:• The cost of credit monitoring for people whose personal information has been compromised. Keep in mind though, that credit monitoring costs have some economy of scale. In other words, the cost per-record is often lower for larger breaches — a quantity discount, so to speak. The other thing to keep in mind is that only a small portion of the people who are offered credit monitoring actually choose to use it, and the organization is only charged for those that do use it.• Activities and costs associated with managing public relations • The cost of legal defense
- Replacement: the intrinsic value of an asset. Typically represented as the capital expense associated with replacing lost or damaged assets (e.g., rebuilding a facility, purchasing a replacement laptop, etc.)Replacement costs usually come into play for tangible assets that are damaged, lost, or stolen and must be replaced. Examples include:• Lost laptops (and potentially the software on them)• Damaged buildings• Crashed servers
• Money that has been stolen
In some scenarios, the expenses associated with replacing an employee that is terminated, has resigned, or has died also could be considered replacement costs. In other scenarios, the cost associated with covering losses suffered by secondary stakeholders also could be considered a replacement loss. For example, the cost associated with covering the losses suffered by a customer whose bank account was emptied by a hacker.
- Fines and judgments (F&J): legal or regulatory actions levied against an organization. Note that this includes bail for any organization members who are arrested.
- Competitive advantage (CompAdv): losses associated with diminished competitive advantage. Within this framework, CA loss is specifically associated with assets that provide competitive differentiation between the organization and its competition. Within the commercial world, examples would include trade secrets, merger and acquisition plans, etc. Outside of the commercial world, examples would include military secrets, secret alliances, etc.Competitive Advantage losses include those typically seen in Reputation loss — e.g., reduced market share, reduced stock price, or increased cost of capital. This is because an organization’s value proposition relative to its competition has materially changed. Where competitive advantage exists because of technology or processes that enable more efficient operations, then competitive advantage losses could be reflected in reduced profit margins.
- Reputation: losses associated with an external perception that an organization’s leadership is incompetent, criminal, or unethical
e.g., reduced market share, reduced stock price, or increased cost of capital.
Keep in mind that loss is always evaluated from a single perspective; typically that of the organization under analysis. For example, although customers might be harmed if their personal information is stolen, our risk analysis would evaluate the losses experienced by the organization rather than the losses experienced by the customers.