In this article:
- Elaborating on Notional Scenarios
- Elements of Cyber Risk
- Questions to Aid in Elaboration
- Examples of Elaborated Risks
This section describes transforming a notional scenario into a fully elaborated and complete risk scenario ready for quantification.
- Project Lead (or Facilitator, if appropriate)
- Core Workshop Participants
- Subject Matter Experts
These activities are performed during the intial Cyber Risk Quantification workshop(s) or between workshops on an ongoing basis.
In simple terms, a fully articulated cyber risk comprises a condition and a consequence (as explained in What Is Cyber Risk?). Turning notional scenarios into fully elaborated scenarios involves defining additional elements of the cyber risk condition (see below). Elaborated scenarios may also capture any assumptions (i.e., things asserted to be true for the scenario) necessary to quantify.
Core workshop participants should initiate the scenario elaboration, followed up with iterative workshops or working sessions with business personnel and subject matter experts (SMEs).
Facilitators should start this process with Information Technology personnel and proceed with additional SMEs involved in Incident Response, Business Continuity, Legal and Regulatory, and Business Process Leaders.
The first step in elaboration is to assess the notional scenario to identify existing information and determine what needs adding to make the scenario useful in the quantification process. Given the title and details of the notional scenario consider which element(s) of risk may need to be included.
Define the remaining elements of a scenario during the brainstorming workshop by asking participants simple questions to elicit information. Depending on the definition in the notional scenario, the facilitator can guide participants through a structured process to identify missing information. Use the questions included in the Elements of Cyber Risk section to systematically consider all of the elements of cyber risk and expand the scenario. In some cases, working from a known factor (such as a vulnerability) can help ask questions about other elements (such as the actor or the motive).
Regardless of the techniques employed, each element should be considered and defined as appropriate. The goal is to use these elements to construct a robust story of “what happens” if the risk is realized, which helps the scope for quantifying the impacts. It is common to revise elaborated scenarios as more information becomes known.
During the elaboration process, workshop participants often start to offer different pieces of information relevant to quantified impacts. For example, when elaborating a breach of information scenario, the databases that contain certain types of records and the count of records will be known. When discussing those pieces of information, Capture them under “assumptions”, to be used later in the quantification process. Additionally, clarifying which impacts are assumed is essential since many impacts can be realized. For example, in the breach of information scenario above, the participants may want to exclude any lawsuits or violations of specific kinds of data. This should be captured as assumptions since it will indicate what aspects of the scenario are or are not to be quantified.
Elaborating a scenario involves documenting the conditions of cyber risk, and if possible, documenting them in a small narrative associated with a notional scenario. The conditions of cyber risk include:
- Who (i.e., the actor or threat)
- The actor’s motive
- The action(s) (i.e., the means, opportunity, and vulnerability)
- The asset(s) (i.e., what is targeted by the actor)
- The immediate negative or undesired outcome to operations, data, systems, or other business elements (how the asset or associated processes are impacted)
- The damages of the action or event (what are the follow-on effects of the immediate outcome)
- Relevant details and assumptions (type of data, number of records compromised, type and quantity of equipment or facilities damaged, revenues lost, lines of business affected, location of facility if physical damage or injury occurs, etc.)
The process of transforming notional scenarios into elaborated scenarios requires consideration of the details of the scenario that reflect the conditions of cyber risk.
During a brainstorming process or in a separate activity focused on elaborating scenarios, asking the following questions can help participants to add essential details to scenarios they plan to advance into the quantification process.
Consider the following questions relative to each of the elements of a cyber risk condition. Keep in mind the essential elements of a cyber risk condition:
- Actor with the means, motive, and opportunity that exploits a weakness, vulnerability or exposure causing a harmful or undesired outcome.
- Actor (e.g., insider threat, hacktivists):
- What types of actors might attack the organization?
- Are the actors all external to the organization, or are they potentially inside the organization?
- Is there an actor who wants explicitly something that the organization has (such as confidential data or intellectual property)? For example, is there an actor that would want to shut down a critical operational process that we have, such as a nation-state that wants to attack a voting system or an electricity grid?
- Are there nation-state actors that might want to harm the organization for political, social, or economic gains?
- What would be the actor’s target? A particular asset or operational process? Do we have critical assets or operating processes that an actor would value as a high-profile target? Are we in an industry that is attractive to the actor?
- Motive (e.g., financial gain, revenge):
- Why would an actor want to cause damage, harm, or loss to the organization?
- What end objective is motivating the actor to act? Consider financial gain, political/social gain, ideological change, or competition.
- If the actor has a motivation, does the organization have assets and/or operational processes that fit the end objective?
- What tools, techniques, or methods could attackers with this motivation employ? Consider phishing techniques, malware, physical access, automated routines (such as DDoS), or supply-chain compromise.
- How easy would it be for an actor to obtain and/or use these means? Are the tools, techniques, or methods readily available?
- Are there organizational exposures that provide an opportunity for the actor with a motive and means to launch an attack? For example, does the organization have unpatched vulnerabilities, or is it more vulnerable to physical attack at night when there are no guards on duty?
- Weakness, vulnerability, or exposure:
- What known or perceived weaknesses, vulnerabilities, or exposures could an actor exploit? This area constitutes a wide range of items such as poor, inadequate, or missing controls, cybersecurity practice immaturity, known vulnerabilities and weaknesses, and exposures due to specific conditions such as third-party access or data sharing.
In some cases, during brainstorming, participants may start with a known exposure, create a corresponding notional scenario and then use the elaboration process to expand the scenario by considering the other elements of risk.
- What would be the result of the scenario if realized? What negative outcomes might the organization realize? Consider the potential for loss of reputation and negative effects on life, safety, and health of employees; or potential for legal actions or fines and penalties.
- What types of direct impacts (data breach, system interruption, etc.) would an actor attempt to achieve?
- Are there specific outcomes that an actor would attempt to achieve (pay a ransom, make a newspaper headline, etc.)?
Try to separate negative outcomes from impact. Negative outcomes are general effects that might be realized by the organization but may not result in a corresponding impact on the organization. For example, a loss of reputation (negative outcome) may result in a loss of 100 customers (impact). But, in some cases, a loss of reputation may have no material effect and cause no impact or damage.
Given that a cyber risk is composed of a condition and a consequence, these questions help the organization expand its thought process by considering how an unfavorable or undesired outcome can damage or impact an organization. Considering consequences helps to create an elaborated scenario that most closely aligns with the definition of cyber risk.
- How would the organization be damaged if the negative or undesired outcomes were realized? Consider the Impacts by Axio Quadrant provided in the Appendices Section B to help you answer this question.
- How would this damage occur?
- What damage does the organization consider significant?
- What is the most damaging thing that could happen to the company?
As the elaboration process is conducted, perform a process check on elaborated scenarios. Consider if the elaborated scenario makes sense, is realistic, contains all necessary information, and is worthy of taking forward into the quantification process. Additionally, note that associated Impact Classes can be selected during elaboration scenarios in the Axio360 Platform. By default, all Impact Classes are included, but an Impact Class can be deselected if it is decided that the impacts in that Class will not be used in the quantification process. Impact Classes that are deselected now can be reselected during quantification if needed.
A financially motivated cyber actor infects the production planning system with ransomware, which renders the system inoperable and causes the loss of all production planning data and contract data. All lines of business are affected. We cannot track orders, schedule deliveries, or meet contractual obligations, resulting in revenue losses and liquidated damages under delivery contracts. We ultimately paid the ransom, but the system was unavailable for two weeks.
A financially motivated threat actor exploits code vulnerabilities on an externally facing system, exfiltrating 1.2 million records of customer PII data, both current and legacy data, including name, address, Social Security Number, bank account information, and order history. Multiple lawsuits are filed against the business, resulting in numerous settlements and fines.
An unintentional insider mistake results in a misconfiguration of a high-value application. This misconfiguration corrupted the application data over time, resulting in an extended outage of four days as data was restored and reconstructed. As a result, business is interrupted, losing $3 million in revenue and customer retention.