Ira Winkler - You CAN Stop Stupid

Value is perhaps the most important element of risk. It is essentially what you have to lose. More important, it is both separately identifiable elements and their totality that you have to lose. Too many organizations and decision-makers misperceive the value that is at risk. Either they have a myopic view as to what value is exposed to loss or they underestimate the potential for overall value to be lost.

Consider, for example, the infamous Sony hack, where North Korea attacked Sony in retaliation for the movie The Interview , which depicted the killing of North Korea's leader, Kim Jung Un. Prior to the attack, the Sony CIO was quoted as saying that he wasn't going to spend $10,000,000 to prevent a $1,000,000 loss. While the logic was sound, the underlying assumption of potential loss was incredibly wrong. Sony didn't lose $1,000,000 in the incident. The combined loss from the interrupted release of the movie, the incident response, the compromise of PII of Sony employees, and the embarrassment resulting from leaked emails, operational interruption, and so on, cost Sony in excess of $150,000,000.

Unfortunately, there are numerous losses of this scope. While your organization will ideally not suffer such a loss, even small losses can become significant, as we discussed earlier in the “Death by 1,000 Cuts” section. At the least, you want to have a realistic consideration of the value that you are protecting.

There are many types of value. Monetary, opportunity, and reputation are some of the most significant forms. It is also important to consider the value that your organization has to potential attackers, which clearly impacts the level of effort that they will go through to target you. The following sections will explore these types of value.

Monetary value is the clear financial amount that your organization possesses or can lose. To a large extent, this is pretty straightforward. Organizations typically have financial metrics for predicted income, estimated costs for outages, estimates for injuries, estimates for supply chain interruptions, and so on.

Airlines are an easy-to-recognize example of what happens when there are computer outages that interrupt operations. In 2017, a power outage at the Hartsfield-Jackson International Airport in Atlanta caused the cancellation of 1,173 flights. This caused disruption to the lives and business of hundreds of thousands, if not millions, of people given the cancelled flights and the other people impacted. While a good portion of the loss was intangible, Delta Airlines estimated a hard loss of up to $50,000,000.

All organizations with reasonable financial practices have clear estimates of the financial costs of incidents. If you are responsible for mitigating UIL, it would benefit you to talk to your risk or accounting departments to see whether they have any metrics regarding the value of operations, interruptions, and so on. When it comes to technology, computer incidents, unfortunately, have not been generally well defined regarding the resulting loss. However, you can, gather costs from third parties that track such information and extrapolate it for your own purposes. The good news is that there have been significant incidents documented in the technology field to provide you with a good start.

You should try to use any metrics available to you in calculating the financial impact of UIL. You can use this data in justifying the efforts and resources you require to mitigate UIL. The resources include cash and people to prevent the initiation of loss, as well as to mitigate the loss, should it be initiated. You also need to justify the organizational impact you may create in changing processes and otherwise impacting the organization. While the other categories of loss discussed can assist in making your case, demonstrating the potential loss in monetary value is the easiest way to justify the resources you require.

Opportunity value is the potential benefit lost or gained as a result of a harmful action. Opportunity value can include the growth or loss of your customer base, business opportunities, profits, and so on. It can also include strategic positioning of your organization and its business-to-business relationships, the timing of taking a company public, and the strength of your corporate culture.

Unless there are already detailed plans with financial projections, it is sometimes hard to assign a specific monetary value to an opportunity value loss. For example, when contracts are lost internally unless they were large contracts that were calculated into financial projections, it is unlikely that those losses are tracked. If those losses could be quantified financially, they would likely be considered a loss of monetary value as well as opportunity value. There generally is a monetary value that relates to opportunity value, and it can't always be tracked.

We have worked incidents where former employees stole proposals and other corporate information to use for the benefit of their new employers. In some cases, a contract was lost. It is hard to attribute the lost contract to the specific theft, as these situations can be complex and many factors apply. Besides the lost profit from not having the contract, it reduces the likelihood of future work with the client. It might also reduce the money available for future marketing efforts, which can impact future income from other sources.

Some opportunity values can be identified and even quantified, particularly if they align with your organization's goals. For example, if your organization wants to raise its profile in the public's general awareness, being positively reported on in major media has opportunity value. Tracking the number of hits on social media can reveal some level of engagement with people as well.

Opportunity value comes in many forms, and it is usually difficult to calculate. However, it is something to consider in the justification of your efforts. And in the situations when you actually can attach metrics to the opportunity value, you can turn it into something more recognizably quantifiable. Any outage or disruption reveals opportunities for improvement in operations.

For many organizations, reputation value is critical. For example, Uber relies on passengers' trust that they will get to their destinations safely. Whenever a negative incident with a ride is reported, it impacts the organization's image, customer satisfaction, and future profits. Clearly, claims of sexual assaults committed by Uber drivers is a major concern that can impact the willingness of people to use Uber in the future. Uber has been in the unenviable position of being sued by passengers who got into cars and were assaulted by drivers. Some of those lawsuits deal with legitimate Uber drivers, but some even deal with impostors who are not even affiliated with Uber.

Whenever an organization's name is disparaged in some way, it can result in lost revenue, diminished customer base, damaged relationships with other organizations, or other costs. Cambridge Analytica purchased access to Facebook users' data. Cambridge Analytica's use of that data resulted in a sequence of events that generated negative media coverage, increased the potential regulation of the service, decreased usage by some individuals, and raised the potential for fines. While billions of dollars in fines is a clear monetary loss, the reality is that Facebook's brand suffered further punishment in the loss of trust, respect, and confidence of consumers, investors, regulators, governments, and other businesses.

There are many academic studies that indicate that there is a decrease in stock value after a data breach, for example. The effect is clear in the short to mid-term. While the impact likely dissipates over time, it does put an organization in a weaker position should there be compounding circumstances.