So the last topic that we're gonna examine is the topic of risk scenarios. And we've really talked about these a little bit. What? We're gonna look at some specific elements. So when we talk about a risk scenario, we're essentially playing the what if game. What if this happens? What if that happens?
What if or how likely is it to happen?
So ultimately what we're doing is we're looking at particular events and determining what the impact might be, how we would respond. Ah, what are some threats and how those might look so ultimately, we're just trying to take these risks that were sitting around a table talking about. We're trying to make him a little bit more
Rights were saying, Okay, you can talk about denial of service, but what might happen? Okay, let's look a denial of service on our Web server. Let's look a denial of service that bumps us off line for an hour. Let's look at the amount of money that would be lost. Let's talk about how that denial of service might have been successful. Let's talk about how we can mitigate it.
So the risk scenarios were playing through these situations,
ideally in such a way that will help us sort of expand beyond just that traditional thought. So, yeah. Makes things more realistic. Also, it facilitates engagement among your risk team where we're kind of talking through. Well, what do you think is gonna happen if this, you know, if this risk event materializes,
it can also help us be more realistic because we're really being forced to think. Okay, what if this Web servers down for an hour? Well, we better figure out exactly the impact, because that's going to determine the prioritization of this risk.
Usually there are five elements to the scenario. Um, there is the actor, the type of threat,
what the event is, what asset is affected, and then any sort of specifics for timing elements. So if we take a look at this, um, Ultimately,
to be honest with you again, I always tend to start with the asset. Right? So what am I protecting? So maybe I'm protecting our data, our intellectual property. Okay, Well, who might be interested in our intellectual property, So I'll jump over to a threat. Actor, maybe our competitors.
Theft of information. What would the event be well, it would be disclosure of information, a breach of confidentiality,
and then when we have timing and timing dimensions.
So the idea is like, how long with this attack continue? How long from the compromise toe where we see, you know, back when we talked about volatility and velocity, those ideas are coming into play here. A swell.
All right, So those events that we're talking about are they gonna be lost events? Are they going to be a combination of? Is it going to be an event focusing on our vulnerabilities areas where we're weak? Is it going to be a threat event where there is an
active attempt to compromise
so very common when we talk about events, disclosure, modification, theft,
breach of confidentiality, inappropriate use, you know, just the typical threat events that you would think about in relation to information security. And we just want to document that
we've talked about what the assets are and remember assets don't have to be tangible.
As a matter of fact, Often it's the intangible assets that are higher valued. You know, it's very easy for me to determine the value for laptops But when you talk about an asset like a company's reputation, that's very difficult to quantify.
So again, that's kind of the place that I like to start is by looking at the assets.
Because if you really look at the asset in the type of asset that will help you figure out well, what actors might be driven to compromise our intellectual property? What? Um, actors might be driven to breach the confidentiality of credit card information.
So I think you know, you have the flow, but it doesn't mean that you have to do 12345 right. It just means the's five areas air generally present. In a risk scenario, I like to start with assets.
All right, we talked about intangible versus Tangible, talked about timing. And again, if they're, um, instances where velocities important or proximity, you know what is the time span over which this threat materializes? Is it you know,
instant. Is it something over a period of time,
a major breach oven International hotel chain and the breach lasted over course of three and 1/2 years.
That isn't a long, long, long security breach, right? to go unnoticed for three and 1/2 years. I think that was a major, obviously to major problem. The question will be, What did they do about it? What goes back into their systems and says
we're not monitoring accurately or completely.
We're not having the appropriate oversight of thes tests. If you've got information being leaked over three and 1/2 years, you've got big problems, and they need to go back to the drawing board. They need to meet with their risk officer, their information officer. Their security officers,
the architect that designed their network,
they got their work ahead of them. You know, they're gonna have a lot of very intense meetings. It'll be interesting to see, but I would not be surprised if we see some of the senior officials get terminated or have their resignations accepted over a breach of that dimension.
Okay, so the scenarios all about helping us identify risks. You know, if I were to say, what are the risks associated with the new network? You know,
we would think Well, Ah, Ben, with issues. Okay, well, what man with issues have you seen what caused him? And it's that discussion that's being facilitated, that's going to become very, very valuable.
All right, so we developed those strategies, and the strategies can be developed top down or bottom up. And what I'm really meaning with that is
assets down or actor up. You know, do you look and start with the asset, or do you start with the threat actor and I've already told you my preference.
All right, Now, the development process of a risk scenario
start out with generic scenarios, right? We just want to start out very broad denial of service or, um, you know, compromise of confidential data, breach of integrity. Start out broad.
And then ultimately, we want to see we wanna, you know, kind of figure in what the business objective that's being compromised is.
Then we're gonna tweak those scenarios and be ableto organize them in line so that we can prioritize them. Right? How critical with this particular threat,
how critical would its impact be to the organization?
Keep in mind you can't look att, every risk scenario out there. So we have the limit. What we can do,
We keep risks and our risk register so that we can evaluate them easily,
and then ah, we go back and review these scenarios is necessary