Loss Magnitude Estimation in Support of Business Impact Analysis
Abstract
In conducting a system Business Impact Analysis (BIA), it can be useful to go beyond qualitative impact categories such as Low, Moderate, and High to gain a deeper understanding of the full potential for adverse impacts, stated in dollar equivalent terms when possible. Analysis of adverse impacts should depict not just the types of impacts (e.g., financial, safety, privacy, mission, etc.) but also their potential magnitude. This report proposes a methodology that leads to greater confidence in and improved ranges for estimates of potential loss. This methodology is a refinement of CISA OCEs (Cybersecurity and Infra-structure Security Agency, Office of the Chief Economist) BIA methodology of estimating the potential loss magnitude associated with loss of Confidentiality, Integrity, and Availability (CIA) of the systems being assessed. The estimate is of potential loss magnitude because we do not explicitly con-sider the extent of threat in the estimate, nor do we consider the extent of cybersecurity controls that constitute the organizations and systems defense. However, we do consider other characteristics of systems under assessment to the extent that we were able to determine them within the scope of this project. The authors developed the concepts and approaches described in this report in support of, and in collaboration with, the CISA OCE to help improve their BIA potential loss magnitude estimation methodology.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 01, 2020
- Accession Number
- AD1111632
Entities
People
- Andrew P. Moore
- Brett Tucker
- Daniel J. Kambic
- David Tobar
Organizations
- Carnegie Mellon University