"What if?..." scenario analysis is a business planning and modelling technique used to produce various projections for certain outcomes based on variable inputs.
Scenario planning allows a company to respond to alternative situations more quickly and effectively because it has developed strategies on which to rely. A scenario, in this context, is a potential circumstance or combination of circumstances that could have a significant impact, positive or negative, on an organisation.
A company can use the "what if?" scenario analysis to see how a particular outcome, such as project costs, could be affected by changes in particular variables, such as late delivery of supplies or unavailability of key personnel.
These exercises are a practical way for companies to test their incident response plans and educate teams on the importance of cyber security or what to do in the event of a data breach. This is done by defining a realistic scenario and asking participants questions such as:
How would you respond?
What tools would you use?
What is your role in reporting the breach?
Who would you talk to in order to solve the problem?
How would you report the problem?
Following are 5 incident response scenarios that you can use to test your team:
Most of these tests are simple and can be completed in as little as 15 minutes. They are, however, useful to get your team thinking about cyber security and ensure they are equipped to deal with a breach.
1. A patching problem
Problem: a member of your support team hastily deploys a critical patch creating a bug.
An example of the scenario you might present: it's Friday night and your network administrator receives a ticket requesting a critical patch on one of your systems. He quickly fixes something, distributes it and goes home for the weekend. The next day you start receiving e-mails from your angry customers because your services are down and no one can access them.
What is assessed: participants will have to identify the risks of an untested patch and how this could lead to a computer security incident. They will also have to understand whether these patches can be reversed and who they should contact to solve the problem.
2. A malware problem
Problem: The crossover between work and private devices led to an employee infecting company systems with malware.
An example of the scenario you might present: A member of the marketing team borrowed a company USB drive so he could take a presentation home and continue working on it. He connected the USB to his laptop at home and, while connected, was infected with malware. Once back at the office, he plugged the USB drive back into his work computer, infecting the systems with the same malware.
What is assessed: check how quickly/if the employee can understand what happened and also whether your team is aware of security issues such as malware distributed via USB sticks. It also highlights the importance of keeping work and private devices as separate as possible.
3. A potential cyber threat
Problem: a cybercriminal threatens to breach company systems and access sensitive data, but you don't know how he intends to attack.
An example of the scenario you might present: after being allegedly wronged by the company, a cybercriminal starts sending e-mails to staff members threatening to hack into the company's database. However, the nature of the attack is unknown and the company must act quickly to ensure that all systems are protected.
What is being assessed: this scenario requires participants to plan in advance for an attack that could come from anywhere in the system. They must identify weak points and decide very quickly how to strengthen the company's defences and security measures.
4. The cloud has been compromised
Problem: a cloud-based service you use to store data has been hacked and passwords and stored data have been compromised.
An example of the scenario you might present: a news story reports that a third-party cloud storage service you use has been hacked. The extent of the breach is not yet known, but it has been revealed that some of the data stored within has been exposed.
What is being assessed: participants will be tested on their incident response, how they intend to deal with the problem, and whether they believe their company should be held responsible for the breach, despite it being from a third-party provider.
5. Financial mess
Problem: data in the payroll system was tampered with/deleted and this was reported after employees did not receive their pay in the current month.
An example of the scenario you might present: despite having been hired more than a month ago, five new staff members did not receive their pay and raised the issue with their managers. After closer examination, it appears that they were added to the system by someone in finance, but their information seems to have been removed or disappeared.
What is assessed: using the scenario, participants have to understand what happened and what led to the disappearance of their information. This will test their response to incidents and whether they know who to report to when a breach in financial systems has occurred.