Within this scenario, three potential threat actions stand out as having significant loss potential – misuse, disclosure, and destruction.
- Misuse – Employee records typically have information that can be used to execute identity theft, which introduces potential legal and reputational loss
- Disclosure – Employee records often have sensitive personal information related to medical or performance issues, which introduces legal and reputational exposure
- Deny access (destruction) – Employee records are a necessary part of operating any business. Consequently, their destruction can introduce some degree of lost productivity.
In some cases it’s necessary to evaluate the loss associated with more than one threat action in order to decide which one has the most significant loss potential. For this exercise, we’ll select disclosure as our worst-case threat action.
Our next step is to estimate the worst-case loss magnitude for each loss form.
Note that we didn’t estimate loss magnitude for Replacement. Any time you’re evaluating loss and one or more of the forms has a loss magnitude of Severe (Sv), it’s not worthwhile to give much thought to loss forms having a much lower, or no, loss magnitude. In this case, Replacement doesn’t apply because the assets aren’t being destroyed.
Our estimates are based on the following rationale:
Productivity
It’s conceivable that productivity losses could be High as employee attention is diverted to this event
Response
Legal expenses associated with inside and outside legal counsel could be High, particularly if class action lawsuits were filed
Fines/Judgments
If the disclosed information included details regarding psychological illness or other sensitive health issues, then legal judgments in behalf of affected employees could be Severe, particularly if a large number of employees were affected
If the information included evidence of criminal activity or incompetence on the part of management, then legal and regulatory fines and sanctions could be Severe
Competitive advantage
If the disclosed information provided evidence of incompetence or criminal activity, competitors could, in theory, leverage that to gain advantage. For the most part, however, we can expect competitors to simply sit back and rake in any disaffected customers (falls under reputational loss)
Reputation
If the information was sensitive enough, due diligence was seriously absent, legal actions were large enough, and media response was negative and pervasive, then reputational loss associated with customer flight and stock value could be Severe.
* Magnitudes will vary based on the size of the organization.
We aren’t going to document all of our rationale in most risk analyses. Most of the time we internalize all but the most significant factors. Nonetheless, having a deeper understanding of what these factors are and how they work increases the quality of our analyses.
Note that the rationale above is based on what could happen. This highlights the fact that worst-case analyses tend to be based on possibilities rather than probabilities. In order to make this worst-case information meaningful, we need to have some idea of how probable a worst-case outcome is.
A large number of factors affect the likelihood of a worst-case outcome. In this scenario, we selected disclosure as our worst-case threat action, yet we haven’t considered the likelihood that a threat agent from this threat community would intentionally disclose the information. Other actions might be far more likely. Accidental disclosure might result, of course, if the threat agent performed identity theft, was caught, and the information was traced back to this organization and this event. A series of ‘ifs’ – each with less than a 100% probability. Furthermore, even if disclosure occurred, the organization has an opportunity to mitigate loss magnitude through its response. Does it go out of its way to rectify the situation? Does it have an effective public relations capability and a good relationship with the media? Each of these factors reduce the probability of a worst-case outcome.
In most cases it isn’t worthwhile to spend too much time and effort evaluating the probability of a worst-case outcome. Spend enough time to get a sense for what the key factors are, and roughly where on the continuum worst-case outcome falls between almost certain and almost impossible.
For our scenario, we’ll determine that worst-case magnitude is severe (tens of millions of dollars), but with a very low probability of occurring.
September 3rd, 2010 at 9:44 pm
0