I recently earned the Open FAIR Foundation certification. FAIR is Factor Analysis of Information Risk and is a method for analyzing and presenting risk in terms of probable event frequency and probable dollar losses. Risk findings are based on Monte Carlo simulations of a straightforward risk model. It's basically an annual loss expectation, with uncertainty baked in. See https://www.opengroup.org/certifications/openfair for more information.
FAIR measures losses in dollars (or whatever currency you want to use). Losses can include factors such as lost revenue, response costs, lost market share, fines and other legal costs, etc. Does anyone have experience adapting this model to a government setting, especially a national security setting, where losses are defined in terms of less-easily measured things such as secrets? My clients have no revenues and have a national monopoly in their business. They do have expenses (salaries, benefits, capital expenses), so I can probably estimate the cost of workers idled by a breach. But what is the quantitative cost of a compromised national security secret?
I'm not sure about a non UK context, but it the UK government context IS1 and IS2 were prescribed as risk assessment methods. There was also an adaptation called CRAMM from the CCTA. These methods took account of the impact of loss of classified information rather than financial losses. Maybe something similar already exists as a risk management methodology in your context that would be a fit for the more qualitative risk factors relating to government agencies.
----------------------------------------------------------- Steve Wilme CISSP-ISSAP, ISSMP MCIIS
I joined the FAIR Institute and found some information that helps, although it doesn't fully solve the problem. The FAIR folks are working on ways to define loss magnitude in terms of mission capability (such as a percentage degradation). This would be in place of the original definition of loss magnitude in terms of dollars. This does give me a way to disucss this with my internal stakeholders.