- Corporate Security
- Governance, Risk, and Compliance
- Information Security
By Will Anderson Modified April 17, 2020
For some incident types like serious assaults, loss of IP, and data breaches, the executive is aware of the consequences and do not need a detail accounting to approve spend. But many common incident types are not on the executives radar and will seem relatively unimportant to them. For these, it is important to be able to get away from talking about abstract incident numbers and talk to them in their language: cold hard dollars. That’s why it’s important to be able to track and estimate the potentials losses associated with incidents that haven’t yet occurred to secure additional budget for a robust corporate security program.
Despite how important it is to track loss, not many security teams actually do it. They generally don’t have the time or resources to generate the detailed data that is required to determine the impact of the loss. For some incident types, it may not be worth the time for the team to go through the effort to determine the value of the loss, especially if that loss occurred after the incident (i.e.: a lawsuit stemming from a slip and fall).
Without good quality data the default position is to not make an estimate, for fear of being challenged on an assumption for a loss. But by not making an estimate, the default estimate is $0, which is clearly not the right assumption.
When there isn’t good loss data it is still important to make an estimate. Our suggestion would be to see an average figure for each of the incident types where you do not have good data. There are lots of ways to do this.
The first step is to define the different types of losses that you can incur:
From there, for each incident type look back and see, what if, any losses you have incurred historically. Because losses often happen well into the future, it is usually best to do an average. For example, if you have had 3 lawsuits in the last three years resulting from slip and falls for a total of $60,000 in damages, you could divide this figure by the total number of reported slip and falls to get a per incident average. If you recorded 1,000 slip and falls, then you could calculate the loss as averaging $60 per incident.
What if you have not had a loss but could reasonably expect to have one in the future? You often find some metrics online or by talking to your peers. Here are a couple of examples:
Rarely do we get perfect data that we can use out of the box but, data like above can be used to inform much better estimates than $0.
If you are being challenged on your loss estimate, then you are having a conversation about the impact of incidents. While it might not seem like it, you’re actually in a much better place than you started. You have a platform to have discussions about the efficacy of security investments when tied back to the losses that you intend to avoid. By providing data, you are speaking in their language and that will result in better conversations about resource allocation and tradeoffs.
While developing the standard costs per incidents will definitely take some time, the benefits of improved discussions with the business will more than offset the effort. Opening this dialogue will allow you to be better armed for discussions about budget and resources in the future.
Measuring the frequency of incidents is a great metric, but without quantifying value along with frequency you could put your resources into the wrong areas. A handful of incidents that cost your organization hundreds of thousands is obviously more detrimental to your business than low impact incidents that may occur hundreds of times a year. While the frequent issues might be more top of mind you won’t realize the impact until you’ve had a few that really cost.
The inverse is also possible. You could have a major incident that is really costly, but frequency tells you that is a once every ten years kind of event. There could be pressure to ensure it never happens again pulling resources for other programs that are going toward reducing a systemic issue that is costing the organization a lot of money every month.
A good way to look at incident data to identify what types of incident are most critical to counter act is a chart comparing total number of incidents by the total loss or net loss of those incidents.
The goal here isn’t exact precision, but consistency. Physical losses are the easiest: products, materials, equipment and other assets, should have an agreed upon documented value that can be referenced when they are involved in an incident.
Other losses that should also be documented: cost of a disruption to productivity, cost of documented IP or Data Breach, cost of loss of life. There are ways to estimate these costs and you need a baseline. You are measuring incidents in relation to each other. If you determine 1 hour of disruption costs X, then you know that 10 hours of disruption is 10X. As long as you are consistent you can easily determine which incidents have the biggest impacts to your organization.
Having good loss data can be very helpful when a problem is identified that requires new budget to resolve. Any spend on new controls should be done with a consideration to the value of that investment, and without actual data to illustrate the problem you will have a hard time getting budget approved. Without hard data and examples request can often be dismissed based on personal opinion of others what that is costing the business.
Resolver’s Incident Management Software helps corporate security teams drive the insight they need to efficiently reduce incidents and their impacts on organizations.