While listening to the fabulous presentations at SIRACon yesterday, I decided there are two metrics which should be considered part of the "gold standard" of metrics for IRM.
#1. Base Rates. I've already argued why base rates and base rate fallacy matter to IRM (see here, here, and here). After listening to Patrick Florer's presentation yesterday on the base rate fallacy, it became clear to me that not only do base rates matter to IRM, but they are one of the most valuable metrics we have in IRM. Here are some specific examples of base rates which matter to IRM:
- base rate of known software vulnerabilities by vendor (Microsoft, Apple, open source, in house, etc.)
- base rate of known breach incidents by threat agent (internal, external, or business partner)
- base rate of known breach incidents which used low difficulty attacks (e.g., exploitation of default credentials)
- base rate of compromised data by type (payment card data, personal data, etc.)
- base rate of known targeted breach incidents (vs. opportunistic vs. unknown)
The good news is that much of this data is either already available in high-quality, public sources like the Verizon DBIR or can be derived from such data.
#2. Risk Reduction Per Unit (RRPU) Cost. I owe this one to risk scholar Tony Cox (see here). Here is an IRM example of RRPU, using fake data.
Due to space limitations, I've had to cut a very wide table in half. Here is the left-hand side of the table.
|#||Threat Description||Vulnerability Description||Consequence Description||Risk Treatment||Inherent Loss Event Frequency (ILEF)||Inherent Probable Loss Magnitude (IPLM)||Inherent Risk (i.e., average loss per year)|
|1||Adversarial Outsider||Lack of PII Minimization and Retention||Revenue Loss||Purge PII at End of Retention Period||1.0||$250K||$250K|
And here is the right-hand side of the same table:
|Residual Loss Event Frequency (RLEF)||Residual Probable Loss Magnitude (RPLM)||Residual Risk (i.e., average loss per year)||Risk Reduction||Cost of Risk Treatment ($)||Risk Reduction Per Unit Cost (RRPU)|
So when we say that, in the above example, the RRPU is $20.45, this means that $20.45 is the average annual prevented revenue loss per unit cost (i.e., per dollar spent on proposed risk treatment).