Key Challenge: Estimating Loss in the Public Sector

Here's an interesting dilemma... how does one go about estimating losses in the public sector? NIST RMF side-steps this problem by advising people to assume the worst-case scenario for their estimates, but this leads to all sorts of problems (if everything is "critical," then how do you prioritize?). Given my background with FAIR, I've thought that perhaps it could show me a better way through this question... however, it's a bit of a pickle!

First, a quick primer on FAIR and loss estimates: In estimating losses, FAIR splits the estimate between direct losses to the primary stakeholder and losses triggered by secondary stakeholders. Losses are then estimated (using calibrated ranges and confidence statements) in 6 categories: Productivity, Response, Replacement, Competitive Advantage, Fines & Judgments, and Reputation. In most cases, the first 3-4 categories tend to be primary losses, while the last 2-3 tend to be secondary losses.

However, let's now turn this around to the public sector. Assuming that they're the primary stakeholder, and that the public and other entities are the secondary stakeholders, can we produce a reasonable loss estimate? First off, let's think about those 6 categories... we can immediately remove the last 3 (CompAdv, F&J, and Rep) as not applying. The government doesn't seem to fine itself, and there's really not much you can do if they're compromised. After all, so long as you're within the borders of the US, you're subject to the US Government. It's not like you can physically stay put and opt out to a different government. This just leaves us Productivity, Response, and Replacement. Leaving "government productivity" jokes aside, it's pretty clear that any loss estimates here should be fairly low, and thus not necessarily meaningful or compelling. So, perhaps this is a failed approach...

What then would be a better approach? One notion floated is to flip the stakeholders. What if you were to first estimate the loss to the public as the primary stakeholder, and then considered other costs (such as to the government itself) as the secondary stakeholder losses? That is perhaps a lot more interesting, since there may be some reasonable arguments that the compromise of certain datasets will have a sizable negative impact on the public (especially when viewed as a whole - so each individual loss rolled up to a large aggregate). Suffice to say, this line of thinking certainly opens the door to a more compelling analysis, and it's definitely worth exploring further...

What do you think?

About this Entry

This page contains a single entry by Ben Tomhave published on May 10, 2012 8:06 PM.

Epidemiological Thinking: A New Info Risk Mgmt Trend? was the previous entry in this blog.

Published Metrics Can Be Overrated is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7