Two scenarios are enough to assess internal and external threats to confidential customer data

Protecting confidential customer data isn’t a one-and-done task. When you’re doing risk analysis, especially through a FAIR lens, the question often isn’t whether you’ve covered every possible threat, but whether you’ve captured the right kinds of threats. And the answer to the core question—how many scenarios should you model for internal and external threats? The minimum is two.

Let me explain what that means in practical terms, and why this two-scenario rule helps you see the whole picture—not just a single, narrow view.

What FAIR is getting at when it talks about scenarios

FAIR stands for Factor Analysis of Information Risk. It’s a structured way to think about risk by separating loss events from their causes. In simple terms, you look at two big pieces: what could go wrong (the threat) and what that would cost (the impact). A big part of this method is building scenarios—stories that describe how a threat might unfold, who it might affect, what controls work or fail, and what the consequences could be.

When we talk about internal versus external threats, we’re really talking about two sides of the same coin. Internal threats come from inside your organization—people who have access to data, such as employees, contractors, or partners. External threats come from outside—criminal groups, competitors, or opportunistic attackers who try to get in, steal, or corrupt data. Each kind of threat uses different avenues, tools, and vulnerabilities. Your analysis needs both to avoid blind spots.

Two scenarios, many insights

Two scenarios aren’t about being exhaustive; they’re about covering the most likely and most impactful paths. Here’s the logic:

• Scenario 1: Internal threat. Think of a disgruntled employee who has legitimate access to confidential customer data and could misuse that access. This scenario helps you see how weaknesses in access rights, monitoring, and separation of duties translate into real risk. It surfaces questions like: Are there enough controls around who can view or export data? What happens if someone bypasses those controls, willingly or accidentally?

• Scenario 2: External threat. Picture a phishing attack that leads to a compromised credentials and a ransomware incident that targets the same data. This path emphasizes how attackers might exploit gaps in perimeter defenses, malware defenses, and incident response. It pushes you to ask: Do you have multi-factor authentication, rapid detection, and reliable backups? How quickly can you recover if data is encrypted or exfiltrated?

These two lenses—internal and external—help you map a fuller risk landscape. They also help avoid a one-note narrative that assumes threats come only from one direction. You’ll likely spot overlapping controls, but you’ll also reveal where single points of failure exist. The goal isn’t to scare you; it’s to make risk management concrete, actionable, and aligned with real-world contexts.

How to think about these scenarios in a FAIR framework

If you’re new to FAIR, here’s a bite-sized way to frame each scenario without getting bogged down in jargon:

• Identify the asset at risk. In most cases, confidential customer data is the asset. Narrow it to the specifics you’re protecting—names, contact details, payment data, or health information, for example.

• Define the threat event. For the internal case, it could be data being accessed and misused. For the external case, it could be a breach following stolen credentials.

• Consider the threat source and motive. An insider might act out of dissatisfaction; an external attacker aims to steal or ransom.

• Assess vulnerability and controls. Look at what weaknesses exist—weak access controls, lack of monitoring, outdated software, insufficient backups—and what controls are in place.

• Estimate loss magnitude. What would it cost if the data were exposed or stolen? Think in monetary terms and add non-financial impacts like reputational harm and regulatory consequences.

• Estimate the loss event frequency. How often could this scenario realistically occur? This isn’t guesswork; you combine historical data, threat intelligence, and your own environment’s realities.

• Rank risk and plan mitigations. Compare how severe the scenarios are and prioritize the fixes that deliver the biggest risk reduction for the least cost or friction.

Two scenarios, two kinds of learning

By examining both an internal and an external scenario, you’re not just ticking a box. You’re building a more robust risk profile. For example, the internal case might spotlight the need for better role-based access control and stronger monitoring dashboards. The external case could drive investments in phishing resistance, identity protection, and faster incident response. In practice, the two scenarios often point to a shared set of controls, like strong authentication and data minimization, but they also highlight where you need dedicated measures for people and for technology.

A practical sketch: how you might lay out each scenario

Let’s walk through a lightweight blueprint you can adapt:

• Scenario name: Internal threat—disgruntled user with data access rights.

• What’s at stake: Confidential customer data (specify types), potential leakage or misuse.

• Threat event: Unauthorized data access or exfiltration.

• Key vulnerability: Excessive access privileges, weak monitoring, poor segregation of duties.

• Existing controls: Access reviews, logging, alerting on unusual data exports.

• Potential impact: Financial loss, regulatory penalties, reputational damage.

• Likelihood factors: Length of access, severity of monitoring, past audit findings.

• Mitigations to consider: Just-in-time access, deeper data encryption, enhanced anomaly detection, stricter data export controls.

• Scenario name: External threat—phishing leading to ransomware on the data.

• What’s at stake: Same confidential data, plus the operational disruption of the business.

• Threat event: Compromised credentials enabling access, followed by encryption or exfiltration.

• Key vulnerability: Phishing susceptibility, weak MFA, slow detection.

• Existing controls: MFA, email filtering, regular backups, incident response playbooks.

• Potential impact: Data loss or exposure, downtime, customer trust erosion.

• Likelihood factors: Threat actor activity, user education, incident response speed.

• Mitigations to consider: Strong MFA everywhere, phishing simulations, rapid containment, robust backups and tested recovery processes.

Notice how the two stories complement each other. One spotlights people and governance; the other emphasizes digital defenses and response. That balance is what makes risk analysis meaningful rather than just theoretical.

Common pitfalls to avoid

Two scenarios are a smart minimum, but they’re not a magic fix. Here are a few traps to steer clear of:

• Relying on a single scenario or a single threat type. Even in a two-scenario setup, you’ll still want to stay open to evolving threats and changes in your environment.

• Underestimating insider risks. Insiders can act with legitimate access, so access controls and monitoring aren’t optional details—they’re essential.

• Treating scenarios as one-and-done. Threat landscapes shift with new tech, new processes, or new business partners. Regular updates keep your assessment relevant.

• Skipping the human element. Technology matters, but people often drive risk. Training, culture, and clear policies matter as much as tools.

Connecting the dots: from scenarios to security posture

Two scenarios don’t just populate a spreadsheet; they guide action. When you connect the outcomes to your security posture, you’ll see where to invest first and where you can afford to be incremental. It’s a practical way to translate numbers into concrete steps—like tightening access privileges, upgrading detection capabilities, or rehearsing incident response.

A few reminders as you apply this approach

• Be concrete. Use real data about assets and processes in your environment. Vague threats lead to vague mitigations.

• Keep it fresh. Threats evolve; your scenarios should too. Schedule periodic reviews and adapt as needed.

• Communicate clearly. Translate risk findings into business terms. People outside the security team need to understand why a two-scenario approach matters.

Why this matters beyond the classroom

If you’re shaping a security program for a real organization, the two-scenario mindset helps you build resilience without overcomplicating your analysis. It keeps you focused on what matters: protecting confidential customer data from both human and machine-driven threats. It also makes it easier to explain risk decisions to stakeholders who care about outcomes, not just methodology.

A quick closing thought

Two scenarios are a practical foundation. They give you a clear view of the risk landscape and a solid starting point for stronger controls. If you’re exploring FAIR concepts, think of internal and external threats as two sides of the same dataset of risk. Model them well, and you’ll uncover insights that lead to smarter protections, quicker responses, and less anxiety about what could happen to sensitive data.

If you’re wondering how any particular control might shift the risk picture in either scenario, feel free to sketch a quick model and test how changes ripple through the numbers. The beauty of this approach is that it invites you to experiment with real-world variables—without getting lost in complexity.

What’s your two-scenario setup look like?

Take a moment to map out a simple internal-threat scenario and a complementary external-threat scenario for a dataset you’re familiar with. What would be the most critical control that could reduce risk in both paths? Are there gaps that jump out right away? Sometimes the most obvious fixes are the ones that shield you most effectively.

In the end, the goal is not to predict every possible assault on data but to arm yourself with a focused, practical view of risk. Two scenarios—one for insiders, one for outsiders—give you a sturdy lens to examine threats, prioritize defenses, and keep customer data safer in an ever-changing digital world.