Event Frequency

1

Vulnerability

2

Primary Loss Magnitude

3

Secondary Loss Magnitude

4

Event Frequency

Native

1

Event Frequency

Guided

5

Vulnerability

Native

2

Vulnerability

Guided

6

Primary Loss Magnitude

Native

3

Primary Loss Magnitude

Guided

7

Secondary Loss Magnitude

Native

4

Secondary Loss Magnitude

Guided

8

1

Loss Event Frequency

 LossEventFrequency 

Event Frequency

Events Per Year

Native

All

How many times in a given year is the Loss Event likely to occur?

This question is asking for a direct estimate of Loss Event Frequency. By entering data into this question, you are choosing not to derive this factor in your analysis.Recommendation: This is useful for analyses where loss events occur on a more routine basis, therefore estimates are data-driven and defensible.

b1576430-5123-45dd-abfd-010a5402a179

2

Threat Event Frequency

 ThreatEventFrequency 

Event Frequency

Events Per Year

Both

All

How many times in a given year is the Threat Event likely to occur? How many times will the asset face a threat action?

This question is asking for a Threat Event Frequency estimate, which is used in combination with the asset's Vulnerability to derive Loss Event Frequency.    Sources of data may include past incident response issues, logs, industry data on malicious insiders, and threat intelligence providers.    Note that infrequent loss events may be represented as decimal (e.g., 0.1 would represent one event every ten years).

d1d8a8e9-6072-465b-8558-aae507500848

3

Contact Frequency

ContactFrequency 

Event Frequency

Events Per Year

Native

All

How many times in a given year is the threat likely to reach, or make contact with, the asset?

This question is asking for a Contact Frequency estimate, which is used in combination with the Probability of Action estimate and the asset's Vulnerability to derive Loss Event Frequency.    Sources of data may include past incident response issues, logs, industry data on malicious insiders, and threat intelligence providers.    Note that infrequent loss events may be represented as decimal (e.g., 0.1 would represent one event every ten years).

4ea2b391-9b16-498b-8c7d-5d42c53ac672

4

Probability of Action

ProbabilityOfAction

Event Frequency

Percent

Native

All

What percentage of threat contact events are likely to result in threat events?

This question is asking for a Probability of Action estimate, which is used in combination with the Contact Frequency estimate and the asset's Vulnerability to derive Loss Event Frequency.    Sources of data may include past incident response issues, logs, industry data on malicious insiders, and threat intelligence providers.

adc8c186-1d40-41a1-8541-ffcdc39318e1

5

Vulnerability

Vulnerability

Vulnerability

Percent

Native

All

What percentage of threat events are likely to result in loss events?

This question is asking for a direct estimate of Vulnerability which is used in combination with Threat Event Frequency to derive Loss Event Frequency.    Sources of data may include past incident response issues, logs, compliance scans, and vulnerability scans.

30649e19-ca79-4e30-96da-820c6036c0d0

6

Resistance Strength

ResistiveStrength

Vulnerability

Percent

Native

All

Given our controls, what is the highest percentile of the Capability Continuum we think we will successfully defeat when threats act against the asset?

This question is asking for a Resistance Strength estimate, which is used in combination with Threat Capability to derive Vulnerability.    Sources of data may include past incident response issues, logs, compliance scans, and vulnerability scans.

541293d2-5d6f-4a8e-8a32-0d93d52f4eb2

7

Threat Capability

ThreatCapability

Vulnerability

Percent

Both

All

How capable is the threat of successfully carrying out the threat event when compared to all threats on the Capability Continuum?

This question is asking for a Threat Capability estimate, which is used in combination with Resistance Strength to derive Vulnerability.    Sources of data may include past incident response issues, logs, compliance scans, and vulnerability scans.

bd79bfbb-72ec-4bb6-abcb-657bcba1bdc8

8

Primary Productivity Loss

PrimaryProductivityLoss 

Primary Loss Magnitude

Money

Native

All

How much Primary Productivity loss is our organization likely to experience as a result of the loss event?

Primary Productivity Losses are a result of a reduction in the organization's ability to execute on its primary value proposition or losses that result in paying personnel who are unable to perform their duties.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

2ed24a82-5bf7-4deb-b9e6-bbfa1a239be5

9

Primary Response Costs

PrimaryResponseCosts

Primary Loss Magnitude

Money

Native

All

How much Primary Response loss is our organization likely to experience as a result of the loss event?

Primary Response Losses are costs associated with managing the loss event.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

9582e27c-faca-4812-a020-ecb82581eccf

10

Primary Replacement Costs

PrimaryReplacementCosts

Primary Loss Magnitude

Money

Native

All

How much Primary Replacement loss is our organization likely to experience as a result of the loss event?

Primary Replacement Losses are costs that include the intrinsic value of replacing the asset.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

915b3f73-659e-49a9-9d9b-0290a1e9ae29

11

Primary Competitive Advantage Loss

PrimaryCompetitiveAdvantageLoss

Primary Loss Magnitude

Money

Native

All

How much Primary Competitive Advantage loss is our organization likely to experience as a result of the loss event?

CAUTION: Competitive Advantage losses almost never materialize as Primary Losses.    Competitive Advantage includes losses associated with intellectual property or other key competitive differentiators that are compromised or damaged.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

3261a43b-0210-4904-961a-d8486cdd5870

12

Primary Fines and Judgments

PrimaryFinesAndJudgments

Primary Loss Magnitude

Money

Natve

All

How much Primary Fines & Judgments loss is our organization likely to experience as a result of the loss event?

CAUTION: Fines & Judgments almost never materialize as Primary Losses.    Fines & Judgments losses include losses associated with regulatory body fines, Judgments in a civil case, or fees based on contractual stipulations.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

ba44613b-66e5-44bb-96f7-20a23f215ed9

13

Primary Reputation Damage

PrimaryReputationDamage

Primary Loss Magnitude

Money

Native

All

How much Primary Reputation Damage loss is our organization likely to experience as a result of the loss event?

CAUTION: Reputation damage almost never materialize as Primary Losses.    Reputation losses include losses associated with having a worse reputation, such as market share reduction, cost of capital increases, stock price reduction, and increased insurance premiums.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

77fd11ba-1fe1-48ec-80e3-83254a6db820

14

Secondary Loss Event Frequency

SecondaryLossEventFrequency 

Secondary Loss Magnitude

Percent

Both

All

What percentage of primary loss events are likely to result in losses from secondary stakeholders' reactions?

The effect on secondary stakeholders (e.g., customers, business partners, etc.) can significantly affect how much secondary loss materializes from an event (legal, reputational, etc.). This question is looking for an estimate of the percentage of time that secondary stakeholders are negatively affected.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

248ef254-f22b-4f66-be61-239ec15a7a3c

15

Secondary Productivity Loss

SecondaryProductivityLoss

Secondary Loss Magnitude

Money

Native

All

How much Secondary Productivity loss is our organization likely to experience as a result of stakeholders' reactions to the primary loss event?

CAUTION: Productivity losses rarely materialize as Secondary Losses.    Productivity Losses are a result of a reduction in the organization's ability to execute on its primary value proposition or losses that result in paying personnel who are unable to perform their duties.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

633175db-80a4-4e68-84e9-c6bffd9e8548

16

Secondary Response Costs

SecondaryResponseCosts

Secondary Loss Magnitude

Money

Native

All

How much Secondary Response loss is our organization likely to experience as a result of stakeholders' reactions to the primary loss event?

Secondary Response Losses are costs associated with managing stakeholders' reactions to the primary loss event.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

7318f64e-ddd0-4eaa-ac34-0772dfaf921c

17

Secondary Replacement Costs

SecondaryReplacementCosts

Secondary Loss Magnitude

Money

Native

All

How much Secondary Replacement loss is our organization likely to experience as a result of stakeholders' reactions to the primary loss event?

Secondary Replacement Losses are costs that include the intrinsic value of replacing the asset.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

1519c114-8ca0-4620-9b7e-d58ce853b4f6

18

Secondary Competitive Advantage Loss

SecondaryCompetitiveAdvantageLoss 

Secondary Loss Magnitude

Money

Native

All

How much Secondary Competitive Advantage loss is our organization likely to experience as a result of stakeholders' reactions to the primary loss event?

Competitive Advantage includes losses associated with intellectual property or other key competitive differentiators that are compromised or damaged.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

ca2953e4-3de8-45a6-a906-93d448384276

19

Secondary Fines and Judgments

SecondaryFinesAndJudgments 

Secondary Loss Magnitude

Money

Native

All

How much Secondary Fines & Judgments loss is our organization likely to experience as a result of stakeholders' reactions to the primary loss event?

Fines & Judgments losses include losses associated with regulatory body fines, Judgments in a civil case, or fees based on contractual stipulations.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

5bac4720-ecc1-4bfc-9c47-ce12b3baff78

20

Secondary Reputation Damage

SecondaryReputationDamage 

Secondary Loss Magnitude

Money

Native

All

How much Secondary Reputation Damage loss is our organization likely to experience as a result of stakeholders' reactions to the primary loss event?

Reputation losses include losses associated with having a worse reputation and materialize as market share reduction, cost of capital increases, stock price reduction, and increased insurance premiums.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

1fd6a840-e80f-4fe3-864a-70b6fb8157c7

21

Access Privileges Audit Results

AccessPrivilegeAuditResults

Vulnerability

Percent

Guided

All

If an audit of access privileges was performed today, what percentage of privileges would be found compliant with policies and standards? Also, briefly describe the process for managing access privileges.

This question is looking for an estimate of the percentage of accounts that have appropriate privileges for the asset in question. This information is used, in combination with authentication, configuration, and threat community information, to derive the asset's vulnerability.    Data to support this estimate may come from audit examinations or other testing an organization may have performed. Note that acquiring this data does not require an assessment of the entire account population, as a statistically sound sample should be sufficient. It may be worthwhile to discuss this with the Internal Audit group as they may already have defined what they consider to be reasonable regarding sample sizes.    Note that if you have good data regarding privilege compliance for a different asset group, that data may be useful to help baseline this estimate IF the characteristics of the other asset group (e.g., access privilege processes, the volume of changes, etc.) are sufficiently similar to this asset.

c5b353d5-f951-4d5d-b0f7-6e1d0ca064ef

22

Authentication Audit Results

AuthenticationAuditResults

Vulnerability

Percent

Guided

All

If an audit of passwords and password practices was performed today, what percentage would be found compliant with policies and standards? Also, briefly describe the password standards that are used on these assets (e.g., length, complexity, etc.).

This question is looking for an estimate of the percentage of passwords and password practices for the asset that aligns with the organization's policies and standards. This information is used, in combination with access privileges, configuration, and threat community information, to derive the asset's vulnerability.    Data to support this estimate may come from audit examinations or other testing an organization may have performed. Password testing (cracking) programs may be used to get detailed data on passwords being used. If such a tool is used, ensure it is authorized by policy and appropriate usage processes are followed.    Note that acquiring this data does not require an assessment of the entire account population, as a statistically sound sample should be sufficient. It may be worthwhile to discuss this with the Internal Audit group as they may already have defined what they consider to be reasonable regarding sample sizes.    Note that if you have good data regarding password compliance for a different asset group, that data may be useful to help baseline this estimate IF the characteristics of the other asset group (e.g., authentication configuration standards, password management processes, etc.) are sufficiently similar to this asset.

b566f1b4-4836-41b7-9450-59300bb82e9d

23

Structural Integrity Audit Results

StructuralIntegrityAuditResults

Vulnerability

Percent

Guided

All

If an audit of patch levels and asset configurations was performed today, what percentage of the assets would be found compliant with policies and standards? If the asset at risk is an application rather than a system, you should interpret the question as asking what percentage of applications are compliant with secure coding standards. Also, briefly describe the processes used to manage configuration and patching for these assets.

This question is looking for an estimate of the percentage of systems within the population that are configured according to organization standards (or best practices if the organization doesn't have defined configuration standards for this asset type) and are up-to-date on patches (as defined by organization policy) and follow program code security. This information is used, in combination with authentication, access privileges, and threat community information, to derive the asset's vulnerability.    Data to support this estimate may come from audit examinations or other testing an organization may have performed. Note that acquiring this data does not require an assessment of the entire account population, as a statistically sound sample should be sufficient. It may be worthwhile to discuss this with the Internal Audit group as they may already have defined what they consider to be reasonable regarding sample sizes.    Note that if you have good data regarding configuration and patch compliance for a different asset group, that data may be useful to help baseline this estimate IF the characteristics of the other asset group (e.g., exploit notification frequency, patching schedule, etc.) are sufficiently similar to this asset.

73ada78f-bb46-4448-9f79-27277d2032bb

24

Compliant Structural Integrity Strength

StructuralIntegrityStrength

Vulnerability

Percent

Guided

All

When the asset(s) are in compliance with policy requirements, what is the estimated resistance strength for configuration and patch elements?

This variable represents the intended resistance strength of the organization's structural integrity elements given the technologies in place. Structural integrity generally is a function of the technology configuration standards and patching processes and/or program code security that prevent an attacker from circumventing authentication and access privilege controls.   Recall that resistance strength is estimated against a capability continuum from 0% to 100%.   The Minimum compliant resistance strength value represents an "at least this strong" estimate for structural integrity. For example, a Min value of 90% is saying that an organization would not expect threat agents with capability below the 90th percentile to be able to circumvent structural integrity elements such as configuration and patch management.   The Maximum compliant resistance strength value represents a "no stronger than this" estimate for structural integrity. For example, a Max value of 95% is saying that an organization would expect threat agents with capability above the 95th percentile to always be able to circumvent structural integrity elements such as configuration and patch management.   The Most Likely compliant resistance strength value represents an estimate between Min and Max that an organization believes represents most likely effective resistance strength. For example, a Most Likely value of 95% is saying that an organization believes the resistance strength of these controls is most likely to be 95%.

1f4ec7a3-29dd-44e8-9296-9911f279e093

25

Non-Compliant Structural Integrity Strength

NonCompliantStructuralIntegrityStrength

Vulnerability

Percent

Guided

All

When the asset(s) are NOT in compliance with policy requirements, what is the estimated resistance strength for configuration and patch elements?

Systems and applications that are not compliant with organization policies and standards regarding configurations, patching and/or program code security have a different (and generally lower) ability to resist compromise. This question is looking for an estimate of the resistance strength for those systems or applications that are not compliant. This information is used in combination with access privilege, authentication, and threat information to determine the asset's vulnerability.    An example of resistance strength estimate for Non-Compliant systems or applications might be:    Min = 20% (representing systems/applications that would be very easily compromised) Max = 95% (representing systems/applications that are not fully compliant but that still represent reasonably hard targets) ML = 80% (representing an estimate that, although not compliant with organization standards, most systems/applications would be relatively difficult to compromise)    Data to support this estimate may come from audit examinations or other testing an organization may have performed. Note that acquiring this data does not require an assessment of the entire account population, as a statistically sound sample should be sufficient. It may be worthwhile to discuss this with the Internal Audit group as they may already have defined what they consider to be reasonable regarding sample sizes.    For more specific guidance on estimating resistance strength, please refer to RiskLens training materials or contact a FAIR-trained professional.

4c393f06-ed02-44e4-94df-c5c2bbee14cd

26

Compliant Access Privileges Strength

PrivilegesStrength

Vulnerability

Percent

Guided

All

When the asset(s) are in compliance with policy requirements, what is the estimated resistance strength for access privileges?

This variable represents the intended resistance strength of access privilege controls. Generally, access privilege controls are intended to be binary in nature -- you either have authorized access to one or more assets, or you don't. As a result, the values typically used for this variable will be nearly absolute (e.g., 98%, 99%, 100%).    Recall that resistance strength is estimated against a capability continuum from 0% to 100%.    The Minimum compliant resistance strength value represents an "at least this strong" estimate for access privileges. For example, a Min value of 90% is saying that an organization would not expect threat agents with capability below the 90th percentile to be able to circumvent access privilege controls.    The Maximum compliant resistance strength value represents a "no stronger than this" estimate for access privileges. For example, a Max value of 95% is saying that an organization would expect threat agents with capability above the 95th percentile to always be able to circumvent access privilege controls.    The Most Likely compliant resistance strength value represents an estimate between Min and Max that an organization believes represents most likely effective resistance strength. For example, a Most Likely value of 95% is saying that an organization believes the resistance strength of these controls is most likely to be 95%.

9ff7b6e7-4653-4e9d-8386-cd10b1000e6c

27

Non-Compliant Access Privileges Strength

NonCompliantPrivilegesStrength

Vulnerability

Percent

Guided

All

When the asset(s) are NOT in compliance with policy requirements, what is the estimated resistance strength for access privileges?

This variable represents the expected resistance strength when access privileges are not in their intended state. Generally, this variable's values will be at the other end of the resistance strength spectrum relative to Compliant Privilege Strength values (e.g., 0%, 1%, 2%), reflecting an expectation that if someone has inappropriate access privileges they implicitly are able to perform actions they shouldn't.

3cf1f898-6f8c-4dea-aa31-f7a647f563cb

28

Compliant Authentication Strength

AuthenticationStrength

Vulnerability

Percent

Guided

All

When the asset(s) are in compliance with policy requirements, what is the estimated resistance strength for authentication mechanisms?

This question is looking for an estimate of the percentage of passwords and password practices for the asset that aligns with the organization's policies and standards. This information is used, in combination with access privileges, configuration, and threat community information, to derive the asset's vulnerability.    Data to support this estimate may come from audit examinations or other testing an organization may have performed. Password testing (cracking) programs may be used to get detailed data on passwords being used. If such a tool is used, ensure it is authorized by policy and appropriate usage processes are followed.    Note that acquiring this data does not require an assessment of the entire account population, as a statistically sound sample should be sufficient. It may be worthwhile to discuss this with the Internal Audit group as they may already have defined what they consider to be reasonable regarding sample sizes.    Note that if you have good data regarding password compliance for a different asset group, that data may be useful to help baseline this estimate IF the characteristics of the other asset group (e.g., authentication configuration standards, password management processes, etc.) are sufficiently similar to this asset.    The Minimum compliant resistance strength value represents an "at least this strong" estimate for authentication. For example, a Min value of 90% is saying that an organization would not expect threat agents with capability below the 90th percentile to be able to circumvent access privilege controls.     The Maximum compliant resistance strength value represents a "no stronger than this" estimate for authentication. For example, a Max value of 95% is saying that an organization would expect threat agents with capability above the 95th percentile to always be able to circumvent access privilege controls.    The Most Likely compliant resistance strength value represents an estimate between Min and Max that an organization believes represents most likely effective resistance strength. For example, a Most Likely value of 95% is saying that an organization believes the resistance strength of these controls is most likely to be 95%.

4d146b4c-13ea-4589-8f3a-0a247722aec6

29

Non-Compliant Authentication Strength

NonCompliantAuthenticationStrength

Vulnerability

Percent

Guided

All

When the asset(s) are NOT in compliance with policy requirements, what is the estimated resistance strength for authentication mechanisms?

Passwords and authentication processes that are not compliant with organization policies and standards have a different (and generally lower) ability to resist compromise. This question is looking for an estimate of the resistance strength for accounts on these assets that are not compliant. This information is used in combination with access privilege, configuration, and threat information to determine the asset's vulnerability.    An example of resistance strength estimate for Non-Compliant Authentication might be:    Min = 0% (representing an account with a blank password) Max = 95% (representing an account with a password that doesn't match organization standards of, for example, 98%) ML = 80% (representing an estimate that, although not compliant with organization standards, most accounts have relatively strong passwords and password practices)    Data to support this estimate may come from audit examinations or other testing an organization may have performed. Note that acquiring this data does not require an assessment of the entire account population, as a statistically sound sample should be sufficient. It may be worthwhile to discuss this with the Internal Audit group as they may already have defined what they consider to be reasonable regarding sample sizes.    For more specific guidance on estimating resistance strength, please refer to FAIR training materials or contact a FAIR-trained professional.

e3da9cd4-ab6d-4368-b69c-46aef6b5c8fb

30

Recovery Timeframe

RecoveryTimeframe

Primary Loss Magnitude

Hours

Guided

Availability

When an outage occurs, how many hours does it take to bring the asset(s) back up?

The length of time it takes to recover an asset following an outage can play a significant role in how much loss materializes. This question is looking for an estimated recovery timeframe across the population of assets, which is used in combination with other loss factors to derive loss magnitude.    The Minimum value should represent a best-case recovery timeframe for a system or application within the population of assets.    The Maximum value should represent a worst-case recovery timeframe for a system or application within the population.    The Most Likely value should represent the most common recovery timeframe.    Sources of information to support these values can often be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., system administrators) are also often good sources of data.

fa32515e-db51-4220-9340-fbacc53c1c2a

31

Affected Employees

AffectedEmployees

Primary Loss Magnitude

Employees

Guided

Availability

When an outage occurs, how many employees are hindered in their ability to perform their duties?

The number of employees who are idle or operating in a degraded state can have a significant effect on how much loss materializes from an outage event. This question is looking for an estimate on the number of employees who are idle or in a degraded state of productivity as a result of the asset(s) being unavailable.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

e2a83a6e-6163-44e0-836b-1c9697528ff6

32

Effect on Employee Productivity

EffectOnEmployeeProductivity

Primary Loss Magnitude

Percent

Guided

Availability

When an outage occurs that affects employee productivity, to what degree is their productivity affected?

Although an outage may affect employee productivity, it rarely degrades productivity by 100%. Note, too, that it is common for employees to "catch up" on job responsibilities after an outage has been resolved, resulting in a less practical effect on productivity. Answering this question requires an estimate of how significantly employee productivity is likely to be degraded.

8ccf378b-5304-49f5-bc8f-dc69445cc086

33

Effect on Productivity

EffectOnProductivity

Primary Loss Magnitude

Percent

Guided

All

What percentage of the time do availability outages affect the organization's operational ability to deliver on its value proposition (e.g., sell goods or services)?

Some systems or applications play a significant role in an organization's ability to deliver on its mission/value proposition (e.g., the transactional website for an online retail business). Conversely, some systems and applications play virtually no direct role (e.g., back office processing). This question is looking for an estimate on the percentage of time an outage in the systems/applications in this asset group will affect the organization's value proposition and its ability to generate revenue.    Sources of information to support these values often can be found in an organization's operational incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., business process managers) are also often good sources of data.

fa0dc230-dbb8-4ecc-8732-dc00b0166ad7

34

Replacement Cost

ReplacementCost

Primary Loss Magnitude

Money

Guided

Integrity, Availability

What capital or operational expense costs would be incurred to replace the asset(s) at risk?

The replacement costs associated with assets that are made permanently unavailable through theft or damage can be significant. This question is looking for an estimate of the per-asset replacement cost for the asset(s) at risk (e.g., servers, personal systems, etc.).    Sources of information to support these values often can be found in purchasing records or through discussions with personnel in IT or purchasing.

bfbc2c1c-aec2-44c0-81be-7d23babd829c

35

Person Hours

PersonHours 

Primary Loss Magnitude

Hours

Guided

Confidentiality, Integrity, Availability

How many person hours are spent managing the loss event? Note that managing stakeholder reactions should not be included in this estimate.

When loss events occur, inevitably some soft-dollar losses are incurred as people repurpose their activities to respond to the event. These costs are often a function of the number of people involved in dealing with the event times the number of hours incurred (per-person). This value is combined with an estimate of the per-person loaded hourly rate to arrive at this component of response-related loss.    Sources of information to support these values often can be found in an organization's incident reports as well as business or disaster recovery exercise reports. Internal subject matter experts (e.g., incident response managers) are also often good sources of data.

7034e53e-7c91-4671-bb7d-49b0c2260524

36

Employee Wage

AverageEmployeeWage

Primary Loss Magnitude

Money

Guided

Confidentiality, Integrity, Availability

What is the employee wage-per-hour?

This variable represents the loaded wage of employees or other paid workers within the organization. It is used to derive the productivity effects for idle workers in availability scenarios as well as the soft costs associated with personnel responding to loss events.

c7d48cff-b84f-4f15-bcf2-9790c99d3e3e

42

Sensitive Records

SensitiveRecords

Secondary Loss Magnitude

Records

Guided

Confidentiality

How many sensitive records (if any) are stored on or processed by these assets?

The number of sensitive records stored or processed on a system or application determines the volume of information "at risk". This information is crucial in determining the magnitude of loss that can materialize from loss events. This information is used in combination with the data types and loss tables to determine Secondary Loss Magnitude.    When answering this question:    The Minimum number should represent those assets with the least amount of sensitive information on them. For example, perhaps one or more assets have no sensitive records on them. In that case, your Min value would be 0.    The Maximum number should represent those assets with the largest volume of sensitive information on them.    The Most Likely number should represent the "common case" in terms of sensitive information on these assets. For example, if you surveyed the volume of sensitive records in a population of databases and found that most databases had around 100,000 sensitive records you would use this number as your ML value.    Database administrators, system administrators, and business technology managers are often good sources of information for these values.

5883179c-eb35-4871-9da3-a1b44d41a8dc

43

Payment Card Information

PersonalCreditInformation

Secondary Loss Magnitude

Percent

Guided

Confidentiality

Regarding the sensitive records (restricted or protected data stored, processed or transmitted on these objects), what percentage is classified as payment card data (i.e., PCI) data?

This question is looking for an estimate of the percentage of total sensitive records affected (collected in previous workshop question) that include payment card related data (PCI). Ex: 80% of 1,000,000 records stored/processed by the asset include payment card data.    Recommendation: Your total % across all questions related to data type should equal approximately 100%. This is to ensure loss is not being double-counted by the use of multiple loss tables for a single record.    Asset Owners, database administrators and business application personnel are often good sources of information for these values.

64b71d58-b1b5-4a35-9047-4416c24dbc3c

44

Personally Identifiable Information

PersonallyIdentifiableInformation

Secondary Loss Magnitude

Percent

Guided

Confidentiality

Regarding the sensitive records (restricted or protected data stored, processed or transmitted on these objects), what percentage is classified as protected personal information (i.e., tax identification numbers)?

This question is looking for an estimate of the percentage of total sensitive records affected (collected in previous workshop question) that include personally identifiable information (PII). Ex: 10% of 1,000,000 records stored/processed by the asset include PII data.    Recommendation: Your total % across all questions related to data type should equal approximately 100%. This is to ensure loss is not being double-counted by the use of multiple loss tables for a single record.    Asset Owners, database administrators and business application personnel are often good sources of information for these values.

d160bef4-d44f-4467-ad1f-7c9db1b0f5fb

45

Personal Health Information

PersonalHealthInformation

Secondary Loss Magnitude

Percent

Guided

Confidentiality

Regarding the sensitive records (restricted or protected data stored, processed or transmitted on these objects), what percentage is classified as personal health information (i.e., HIPAA) data?

This question is looking for an estimate of the percentage of total sensitive records affected (collected in a previous workshop question) that include protected health information (PHI). Ex: 10% of 1,000,000 records stored/processed by the asset include PHI data.    Recommendation: Your total % across all questions related to data type should equal approximately 100%. This is to ensure loss is not being double-counted by the use of multiple loss tables for a single record.    Asset Owners, database administrators and business application personnel are often good sources of information for these values.

923f7154-5361-4be8-bb34-90527da16fa7

46

Contractual

Contractual

Secondary Loss Magnitude

Percent

Guided

Confidentiality

Regarding the sensitive records (restricted or protected data stored, processed or transmitted on these objects), what percentage is classified as contractually protected data?

The compromise of contractually protected information (e.g., Information that includes contractual terms between two or more organizations) can drive significant response costs, fines and judgments, and reputation damage. Ex: 100% of records stored/processed by the asset are contractually protected data.    Recommendation: Your total % across all questions related to data type should equal approximately 100%. This is to ensure loss is not being double-counted by the use of multiple loss tables for a single record.    Asset Owners, database administrators and business application personnel are often good sources of information for these values.

e6d2a888-e154-4907-bd6b-0caa769179aa

47

Corporate Sensitive Data

CorporateSensitiveData

Secondary Loss Magnitude

Percent

Guided

Confidentiality

Regarding the sensitive records (restricted or protected data stored, processed or transmitted on these objects), what percentage is classified as corporate sensitive or corporate financial data?

The compromise of corporate sensitive or corporate financial data (e.g., confidential information regarding an organization's plans, financial conditions, or operations) can drive significant response costs, fines and judgments, and reputation damage. Ex: 100% of records stored/processed by the asset are corporate sensitive or corporate financial data.    Recommendation: Your total % across all questions related to data type should equal approximately 100%. This is to ensure loss is not being double-counted by the use of multiple loss tables for a single record.    Asset Owners, database administrators and business application personnel are often good sources of information for these values.

531ae0de-a644-4571-9a88-78871ff6eb38

48

Intellectual Property

IntellectualProperty 

Secondary Loss Magnitude

Percent

Guided

Confidentiality

Regarding the sensitive records (restricted or protected data stored, processed or transmitted on these objects), what percentage is classified as intellectual property data?

The compromise of Intellectual Property (IP) can drive significant response costs, competitive disadvantage, and reputation damage. This question is looking for an estimate of the percentage of sensitive information at risk that is considered to be IP. Product managers, business application personnel, and business managers may be good sources of information for these values. The Internal Audit department may also be a useful source of this information.    Ex: 100% of records stored/processed by the asset are contractually protected data.    Recommendation: Your total % across all questions related to data type should equal approximately 100%. This is to ensure loss is not being double-counted by the use of multiple loss tables for a single record.    Asset Owners, database administrators and business application personnel are often good sources of information for these values.

c1a3c609-be79-4147-a235-6bfb194e1e0b

49

Education Records

FERPA

Secondary Loss Magnitude

Percent

Guided

Confidentiality

Regarding the sensitive records (restricted or protected data stored, processed or transmitted on these objects), what percentage is classified as education records (i.e., FERPA) data?

This question is looking for an estimate of the percentage of total sensitive records affected (collected in a previous workshop question) that include data protected under the Family Educational Rights and Privacy Act (FERPA). Ex: 10% of 1,000,000 records stored/processed by the asset include FERPA data.    Recommendation: Your total % across all questions related to data type should equal approximately 100%. This is to ensure loss is not being double-counted by the use of multiple loss tables for a single record.    Asset Owners, database administrators and business application personnel are often good sources of information for these values.

edf61ddf-081f-4e8b-ab79-a8e024f3133d