mdeshon
commented
4 years ago A $0 loss isn't really a loss, and in any case the lognormal can't capture a 0 low loss accurately (it can't deal well with large high loss/low loss ratios).
Instead when I am eliciting low/high loss values I describe them like this:
-
In the low loss scenario, imagine everything goes well (other than that a loss occurred)--detection systems worked, we noticed the alarm as soon as is feasible, we stopped further loss, and recovered quickly. A 5th percentile makes sense by that description, because we might become extraordinarily lucky and have an even lower loss than described.
-
In the high loss scenario, imagine everything goes wrong--we don't detect the loss, and it continues basically as long as it can, up to and including losing all the data. Here a 95th percentile can still make sense because things can always become worse, for example high publicity around the loss, litigation, regulatory fines, etc. beyond what we might expect.
veeral-patel
Let's take an example of Alice stealing our company's customer data, which is worth $1M to us.
Intuitively, the low loss is that she fails to take any data ($0) and the high loss is that she steals all the data ($1M).
Am I choosing the low loss and high loss correctly here? Also, I read that the low loss and high loss should create a 90% confidence interval...how does that apply here?