What should be done if there is no available data on past loss events during analysis?

In situations where there is no available data on past loss events, stepping down a level to assess the Threat Event Frequency and Vulnerability levels is a practical approach. This method allows analysts to gather relevant insights and make informed estimates based on broader threats and vulnerabilities, rather than relying solely on historical loss data that may be absent or insufficient.

By focusing on Threat Event Frequency, one can evaluate how often specific threats might occur in the context of the organization's environment and its existing controls. Analyzing vulnerabilities offers the opportunity to understand how those threats might exploit weaknesses in the organization's defenses. This comprehensive view enables the analyst to build a more reliable risk evaluation while still adhering to the framework of Factor Analysis of Information Risk (FAIR).

Utilizing this level of analysis creates a basis for estimating potential loss events, which can be crucial for effective risk management, even when direct historical data is not present. Overall, this method emphasizes flexibility and adaptability in risk analysis.