An interesting framework for reputation damage comes to us this morning from Ken Belva:

Now what I find interesting is that, for the most part, many of the categories he’s talking about can be thought of in the context of a FAIR analysis performed on the part of the consumer as they consider the risk of continued interaction with an entity that has suffered a breach. For example, Ken sites:

Extremity: How significant or dangerous is the event? Will it kill me? Example: Tylenol Crisis of 1982.

Frequency: How often does something detrimental happen? Examples: Incidences at Six Flags Great Adventure.

Duration: How long does the incident occur? Example: JetBlue 11-hour delay.

Scope: How far reaching (or large) is the event? Example: TJX.

From those four factors, we actually are seeing Ken attempt to break down probable frequency of event and probable impact of event from the perspective of the consumer. “Duration”, “Scope”, and “Extremity” are means of accounting for impact. Frequency should be obvious

In addition to those above, his “relativity” and “proximity” are also expressions of factors that could be accounted for in a FAIR risk analysis done on the part of the customer perception. Recall that in FAIR Productivity losses are those that occur because we cannot do what makes us money. Then Relativity, for example, would match the FAIR Productivity form of loss input a consumer would consider when doing their own risk analysis. It is an expression on the part of the consumer that answers the question”will I be able to get what I need from the company?” Proximity would be an expression of expected Loss Event Frequency in a FAIR analysis on the part of the consumer “is it likely that this will happen to me?”

Which leaves his category of “Brevity or Longevity”. I’m not sure I understand this one. I completely agree that long-term negligence would have a significant impact on brand damage - but what I wonder is if he’s again developing a consideration for what we call “productivity” in FAIR. If the brand hasn’t been around a significant amount of time, would not the consumer be accounting for that in their risk analysis (”will I be able to continue to I get what I need”)? When we look at the probable impact of an incident from our If the brand has been around, I start thinking of recursive expressions of “reputation damage”. This makes my brain hurt.

Either way, the key to understanding reputation damage is to understand our customers perceived risk. We’re not the only ones who do risk analysis, our customers do it as well. From a b2c standpoint, they consider only the risk to themselves and/or loved ones. Our b2b customers consider risk not only from the standpoint of the company, but the risk to themselves (”will continued interaction get me fired?”).

One really risk geeky thing to note. I’m just thinking out loud right now, but if I’m right, then we’re looking at two separate risk analysis on the part of external actors within the context of our own FAIR analysis.

Recall that the probability of Action (Threat Event Frequency consists of Frequency of Contact and Probability of Action priors) is driven by the attackers perceived Value, Level Of Effort, and Risk. I’ve talked about turning FAIR around in the past, and giving it a goatee to represent the evil universe version of itself - well, this is where it’s done.

In the same way, we have a risk analysis performed by the consumer now in a similar manner - at point where we consider probable impact to reputation damage.

Posted on September 4