The first step in estimating PLM is to determine which threat action is most likely. Remember; actions are driven by motive, and the most common motive for illicit action is financial gain. Given this threat community, the type of asset (personal information), and the available threat actions, it’s reasonable to select Misuse as the most likely action – e.g., for identity theft.
Our next step is to estimate the most likely loss magnitude resulting from Misuse for each loss form.
Our rationale for these estimates include:
- The impact to productivity will be Moderate as employees react to the event
- The cost of responding to the event will include investigation, some amount of time from internal legal counsel, and providing restitution to any affected employees
- Replacement expenses simply entail the cost of changing the executive’s password
- No legal or regulatory action occurs because the incident isn’t taken to court or reported to the regulators
- No competitive advantage loss occurs due to the relatively inconsequential nature of the event
- No material reputational damage occurs because it was an internal event, no customers were affected, and the organization had a security program in place that included policies and education
A few key assumptions also played a role in our estimates. We assumed:
- The organization became aware of the incident. It’s entirely possible for this kind of event to go undetected. Until detected, there is no material loss to the organization.
- Relatively few employees actually experienced identity theft.
The organization responded effectively to the event.
January 16th, 2008 at 1:50 pm
Greetings
I just noticed that in this section were discussing PLM thus “Misuse”. The chart above reflects the correct magnitudes relevant to this section but they are shown under disclosure which was discussed under worst case.
Thanks
Ray
May 25th, 2010 at 3:11 am
Identity Theft is so rampant these days because it is quite easy to harvest information from someone else.;:-