PART 2 - Evolving the Model of Cybersecurity Risk
Decomposition in this context is about taking the baseline and making it more detailed. The authors use an example of this with a decomposition strategy for impact that included confidentiality, integrity and availability. They provide the full spreadsheet example on their website. This will most easily be understood by going through the content in this chapter. I won't try to regurgitate it since it builds on material from earlier chapters and wouldn't be able to succinctly provide a summary.
With decomposition, "in practice you will need to define an event more specifically."
The authors lay out two fundamental decomposition rules:
In the last section of this chapter, they tackle the question, "What do we see when we see a loss of reputation?" Looking at several examples of breaches between 2003 and 2014, "only two of the firms, SolarWinds and Equifax, clearly showed a major drop in stock price that was the day of or the day after the announcement of the attack and much more than any recent volatility." So, stock price was one of the factors they looked at.
Another way to model reputation damage is penance projects. "Penance projects are expenses incurred to limit the long-term impact of loss of reputation." This is engagement in "efforts to control damage to reputation instead of what could otherwise be much greater damage." Examples of this are major new investments in cybersecurity systems, replacing a lot of upper management responsible for cybersecurity, a public relations push to assure the problem is being addressed and marketing and advertising campaigns to offset potential losses. It depends on the type of services you provide, but for most organizations, "these damage-control efforts to limit reputation effects appear to be the real costs here--not so much reputation damage itself."