The Value Protection Formula: VP = N E / N where VP is the Value Protection Ratio, N is Normal Operations Costs, and E is Event Impact Costs
Because event impacts can include several kinds of losses, there is an expanded formula for calculating its value:
E = Rp + Rc + Pn + LR + Pc
Rp is response costs, or the amount required to bring business processes back to accepted parameters (for example, man-hours of triage).
Rc is recovery costs, or the amount required to bring enterprise resources back to a normal state (such as the investment in IT to remediate damaged systems).
Pn is cost of penalties, the amount paid in fines or other penalties levied because of the event (such as a government fine for an incident, or a court-ordered payment).
LR is lost revenue due to the event (for example, orders lost due to downtime).
Pc is perception/reputation costs, the measurable amount required to fix a damaged reputation or counter a negative perception (includes public relations, marketing costs associated with recovery).
So another way to express the formula is:
VP = N (Rp + Rc + Pn + LR + Pc) / N
An information security event is a time-bound negative deviation of business process performance from normal operational state resulting from an information security control failure.
Four Ways Information Security Events Impact Companies
- Breach of confidentiality: Unauthorized access to private business information or information controlled by regulation (for example, customer data).
- Loss of integrity: Logical damage to critical operations or financial control systems information (for example, database corruption).
- Loss of availability: Degradation or loss of critical systems performance (for example, network outage, extended downtime).
- Damage to perception: Degradation of stakeholder or shareholder confidence in the companys competence (for example, stock falls on reports of breach).