In this article:
Brainstorming is a technique used to generate ideas or solutions spontaneously. By design, brainstorming is a participative activity focused on gathering diverse viewpoints without constraints, limitations, or judgment, facilitating the thinking process. Brainstorming can lead to improved techniques, new products or services, or a unique way to approach and develop solutions to known problems. Indeed, brainstorming has been the catalyst behind everyday modern-day conveniences such as crowdsourcing, food delivery, home and vacation rentals, and prescription delivery.
Brainstorming is an effective method for identifying potential cyber risks. Many cyber threats are identified from known exposures and operational gaps, which could be sourced from vulnerability lists, penetration test results, or during an incident investigation. While these exposures are vitally important to the cyber risk management process, it is also essential to identify and understand potential cyber risks that may not be apparent. By bringing a diverse group of stakeholders together from across the organization in a brainstorming activity, various views, expertise, and knowledge can reveal a substantial range of exposures for consideration that might not otherwise be identified.
During a brainstorming session, the participants need to think creatively about specific cybersecurity scenarios that the participants feel the company is susceptible to and/or that could have a significant impact on the company. The participants should adopt the perspective of “assumed compromise”, that is, try to identify things that are possible, even if they are not probable.
Brainstorming focuses on idea generation without the immediate burden to solve a problem or implement a process.
In a structured brainstorming session, participants meet in a workshop or group setting, and ideas are solicited by facilitators or project leads in a structured or sequential order, providing an opportunity for each participant to either provide input or “pass” their chance to the next participant. Every participant has an equal opportunity to participate and can build collaboratively on ideas that have already been generated. In the Axio Cyber Risk Quantification Method, one or more structured brainstorming workshops are conducted with diverse participant groups to create an initial list of cyber risks to be considered in subsequent steps in the CRQ Method. However, keep in mind that structured brainstorming activities may constrain spontaneity and may discourage participation from less assertive participants who are not inclined to contribute in a group environment, particularly if participants come from different organizational levels.
In an unstructured brainstorming activity, participants are given the ability to think and contribute spontaneously. There are two ways to conduct an unstructured brainstorming activity.
Facilitated workshop or group: In this method, participants meet in a workshop or group setting, and ideas are solicited as they come to mind, with facilitators and project leads documenting ideas for participants to reflect and build upon. This results in improved collaboration and process flow because no participant is required to provide input on demand, and engaged participants can offer more of their ideas. However, participation may still be a barrier for those who could be more confident engaging in a group environment. Ideally, if CRQ workshops are performed in a group setting and initial rounds of idea generation can be structured, allowing later for more unstructured activity.
Individual contributions: An unstructured brainstorming activity can also be performed outside of a group or workshop setting. In this method, participants are provided instruction on the CRQ Method and the purpose of the brainstorming step and then are asked to generate their ideas on their own time. Providing participants time to think can result in more robust idea submission, particularly for those more inclined to participate as individuals without the pressure of performing in a group setting. This method can also extend the time to gather ideas rather than constraining the brainstorming activity to a set start and end time. A limitation of this process is that the lack of collaboration can affect the ability to build on suggested input from other participants. But this can be compensated for by bringing participants together after individual brainstorming and presenting the results anonymously in a recap workshop where additional ideas can be generated and considered.
Regardless of the method used, there are a few fundamental rules for effective brainstorming:
There are no right or wrong answers. All ideas are considered viable input to the larger CRQ Method. Activities later in the CRQ Method will further explore brainstormed ideas and add details needed for consideration for quantification.
Ideas should be captured as the participant intended. Avoid adding details for “shaping” what the participant provides.
Avoid criticizing ideas as they are presented. This can have the effect of stifling participation and negatively impacting the results of the activity.
Encourage participants to think in a stream-of-consciousness way. Participants should refrain from self-censoring their ideas or constraining their thinking to conventions. A critical and independent view of the participant’s operational environment is permitted and encouraged.
Give participants the time they need to create the best ideas. In an operational environment, organizations are inclined to value efficiency and quality because of the positive impact on the bottom line. But brainstorming can be an activity where quantity is preferred because more ideas for consideration are better.
Make sure to include a diverse group of participants. The value of the brainstorming activity is to explore idea generation or problem-solving from different perspectives. This process will be impeded if everyone in the participating group is prone to groupthink.
Participants in a brainstorming activity will typically need basic instruction on how to generate and capture their cybersecurity concerns and risks. In a classic brainstorming activity, facilitators generally start with an “initiating” statement of a problem, challenge, or concern to which participants brainstorm potential solutions.
This approach can also be adapted to creating notional scenarios. For example, facilitators can instruct participants to start with initiating statements such as
- What types of operational disruptions are you most concerned about?
- What recent cybersecurity “headlines” do you believe could potentially impact your area of responsibility?
- Are there concerns about actors inside the organization causing damage, such as stealing data or sabotaging operations?
- What natural disasters threaten the operations in your area of responsibility?
Facilitators should develop meaningful initiating statements that are relevant to the area under review in advance of any brainstorming activity. As participants respond to these statements, it is often helpful to ask follow-up questions such as “How would that happen?” or “Who would you take that action?”.
In some cases, participants in a brainstorming activity may have significant knowledge of potential risks to draw upon. These sources might include:
- Reports of control weaknesses with which participants are familiar. This could include audit reports or the results of cybersecurity control assessments performed in the past. Remember that these weaknesses might not only be technical but also physical.
- Known vulnerabilities that are reported to the organization or are identified through a regular scanning process.
- Intelligence gathered from forums and collaborative groups to which participants might belong. This could include a government CERT organization or an industry group with a cybersecurity information exchange.
- Experience with actual intrusions or events is particularly relevant for identifying natural disasters such as floods or hurricanes that have impacted operations in the past, and to which the organization is generally exposed.
- Consider using a structured guide to generate ideas. For example, some risk identification methodologies (such as OCTAVE Allegro Caralli 2007) provide threat paths or “trees” for consideration when developing real-world scenarios. For example, a potential threat path such as an “internal actor (who) deliberate (motive) destruction or loss (outcome)” can be used to generate the question, could an internal actor deliberately destroy information or data that is needed by a critical operational process, and how would that occur?
The creation of notional scenarios can be improved by considering an operational focus. To do this, keep in mind the following:
- Identify the key or critical operational processes essential to supporting the organizational mission.
- Identify the assets the process relies upon for each operational strategy to achieve its mission. Consider the
- people that perform the process
- information and data used by the process
- technologies that automate and control the process
- facilities or physical places in which the process is performed
- Consider focusing on notional scenarios that could disrupt, interrupt, or disable the operational process from achieving its mission. This most likely will involve an attack on one or more assets that are critical to the process. For example, a denial-of-service attack on a production system may result in unavailability of the _technology* needed to support the process.
- Keep in mind that while cyber-attacks most often target data and technologies (such as systems and networks), it is plausible that these attacks could render facilities unusable or could impede the ability for people to perform their responsibilities. In many cases, as notional scenarios are developed, it is likely that an attack results in cascading impacts to more than one asset simultaneously. For example, an attack on a cloud-hosted application may turn off the use of an application system (technology) and its data at the same time.
- The Threat Objectives in the Axio360 Platform are easily adapted to this approach. As notional scenarios are constructed, consider the ways in which a specific Threat Objective, such as data destruction or alteration can impact the viability of each critical operational process that has been identified. Since each operational process likely has specific data dependencies, robust and unique notional scenarios using this Threat Objective may be created for each critical operational process.