In this article:
Creating a Notional Scenario
This section describes creating notional scenarios for possible quantification using brainstorming or other methods.
Participants
- Project Lead (or Facilitator, as appropriate)
- Core Workshop Participants
- Subject Matter Experts
Timeframe
These activities are performed during specific workshops or between workshops on an ongoing basis.
Background
The Axio CRQ method begins with the identification of cyber risks that could expose the organization to impact or damage. These cyber risks are used to establish “notional scenarios”, elaborated further for quantification to determine the financial impact on the organization due to a cyber event. Keep in mind: it is not yet important to establish all of the components of a cyber risk (such as actor, motive, or vulnerability), but instead to capture a range of potential cyber exposures or concerns to expand later into fully articulated risks.
In the Axio CRQ Method, brainstorming is the suggested initial process for creating notional scenarios. However, an organization may have historical data or subject matter expertise for scenario development. Additionally, incorporate any questions or concerns about the cyber risk posed by organizational leadership into the scenario development process.
The critical objective in creating notional scenarios is to allow for the identification of cyber risks that are possible, even if they are not probable. At this point, the quantification process ultimately benefits from a broader conversation about cyber risk, so all ideas should be considered.
Notional Scenarios
Notional scenarios typically comprise a small phrase or a few words that are captured to summarize an element, concept, or concern that could form the basis of a cyber risk. Notional scenarios may include a few facts or assumptions that help clarify meaning. These are some examples of notional scenarios:
- Ransomware
- Breach of customer PII
- Insider threat
- Issues with the customer fulfillment system
- Internet outage at customer call center
These examples still need to contain all of the necessary details that could establish a cyber risk. Instead, they act as a placeholder for a potential threat to be discussed and elaborated on later in the process.
Activities
- Identify and document notional scenarios.
- Add the notional scenarios to a Scenario Collection.
- Classify the notional scenarios and ensure complete coverage of the Scenario Collection scope.
Define Functions and Threat Objectives for a Scenario Collection to apply to scenarios on the scenario overview screen. When applied, the participants can use the Scenario Coverage Table as a visual guide to determine how many Functions and Threat Objectives are covered by scenarios within the collection. This helps identify gaps in the identification of notional scenarios.