screen displaying codes

How to Run Scenario Planning Drills: A Cybersecurity Risk Management Solution

WFH presents new risks for cybersecurity

Scammers are taking advantage of workforce changes resulting from the pandemic,1 including the switch to WFH: in 2020, 20% of companies said they had a security breach as a result of an employee working remotely.2

This rise in cyberattacks is costing companies, with the average cost of a data breach increasing from $3.86 million USD in 2020 to $4.24 million USD in 2021.3 Prior to the pandemic, hackers focused on larger corporations and governments. However, as employees have begun to work from home, they have unwittingly become the newest targets. 

The widespread consequences of an organizational cyberattack

As headlines have heralded in the last few months, cyberattacks affect more than just the victim. Take the Colonial Pipeline hack of 2021, which caused widespread panic and led to gas shortages from Texas to the Northeast.4 After the company paid a ransom of $4.4 million USD and began to return to business as usual,4 the hack had significant impacts for the people living in these states, as an estimated 1,800 gas stations ran out of fuel and national average gas prices jumped to their highest since October 2014.

Cyberattacks damage not only pocketbooks and consumers, but also the wellbeing of employees. Research shows that victims of cybercrimes feel as violated as if it were a physical attack - they report feelings of rage, shame, isolation and fear,6 and they experience symptoms similar to Post-Traumatic Stress Disorder (PTSD).7 

Lack of preparation increases the cost of a breach by $3.58 million USD

Preparation can mitigate the worst impacts: for organizations with fully deployed security operations, the average cost of a data breach is $2.45 million USD; for those that are not up-to-date or idling, the average cost was $6.03 million USD.8

However, even though preparation yields notable dividends, organizations are unprepared because leadership often underestimates the risks of cyber attacks and tend to focus on temporally salient priorities - a behavioral tendency known as hyperbolic discounting.

Hyperbolic discounting diminishes cybersecurity preparation

We often delay preparation for events, especially when the probabilities of the event are low, in favor of tasks that are top-of-mind. Hyperbolic discounting, defined as our tendency to prefer immediate rewards over future ones, helps us understand the disconnect between comprehension of the risks and preparation for an attack. In a survey of 5,000 directors, only 38% reported feeling significantly concerned about cybersecurity risks, and even fewer felt that they were prepared.9

It’s clear that the majority of directors prefer to face issues that are front and center now, rather than deal with an issue that might arise later on. Given that cyber attacks have become more frequent and more severe in the last few years, mitigating hyperbolic discounting would help your organization better prepare for future risks.

Behavioral Science, Democratized

We make 35,000 decisions each day, often in environments that aren’t conducive to making sound choices. 

At TDL, we work with organizations in the public and private sectors—from new startups, to governments, to established players like the Gates Foundation—to debias decision-making and create better outcomes for everyone.

More about our services

graphs showing level of concern and level of readiness of companies towards cyberattacks

Why we miscalculate our risk of cyberattacks: confirmation bias

We tend to underreact to differences in long odds and view these estimates as very unlikely. This tendency is known as the favorite-longshot bias.10 As a result, we begin to understand a “very unlikely” risk as “none at all.”

The confirmation bias reinforces this way of thinking: when we really want to believe that something won’t happen, we then look for reasons that support our ignoring the problem. We tend to round a 5% chance of something down to 0, however 5% of cyber attacks cost companies $1 million USD or more.11 In order to be mindful of the cognitive traps in underestimating the real risks, we must be hypervigilant about our biases and the very real risks we face.

Scenario planning as a countermeasure to hyperbolic discounting and risk miscalculation 

What is scenario planning?

One strategy with a high likelihood of increasing preparedness is realistic scenario planning. This strategy, built on the foundation of clear learning objectives, consists of running plausible scenarios such as the organization getting locked out of key elements of its digital infrastructure  or sensitive data being auctioned on the dark web.12 To create the scenarios, leadership must consider a key problem, its driving forces, and any uncertainties that may exist in the context of that issue.13 Scenario planning helps organizations strengthen their defense systems by stress-testing assumptions, building resiliency, encouraging collaboration between employees of all sectors and levels, and increasing employees’ capacity to react.14 

There are two types of scenario planning drills:12

  • Fire drills, which occur occasionally and test managerial responses
  • Tabletop exercises, which occur more regularly and test people, process, and technology 

How does it counter hyperbolic discounting and miscalculation biases?

As Director and CEO of FINTRAC Sarah Paquet explained (in a seminar with The Decision Lab and Boston Consulting Group), people need stories in order to make the risks feel real.15 The research supports this, too: stories related to the future (also known as future-focus priming) can help avoid hyperbolic discounting.16 Combining both systematic and imaginative thinking,17 scenario planning pushes participants to “move away from the dangerous single pointed forecasts of the future”18 and instead think more broadly about their cybersecurity environment.19 An empirically proven method to avoid hyperbolic discounting is to imagine yourself interacting with your future self, and scenario planning does exactly that.20

Another reason why this strategy works is because it brings together a range of people from within the organization and allows everyone to get on the same page with regard to cybersecurity risks.21 In recognizing the limits of our knowledge and holding each other accountable for that, employees can significantly reduce the risk of the favorite-longshot bias.10 

How does scenario planning prepare us for cyber attacks?

Does scenario planning really address how we overestimate our own knowledge? To answer this, a researcher from MIT asked dozens of MBA students to provide confidence ranges on several issues relevant to their daytime occupations.22 A few weeks later, he had them create scenarios to use as the basis for new confidence intervals, ignoring their earlier answers.22 Confidence ranges widened by 50% as averaged across all scenarios.22

What this means is that after creating their scenarios, the students grew more aware of the risks and made an effort to account for them. Other experiments show that scenario planning helps us question23 and be prepared for the future24 by presenting complex information together in a coherent, comprehensive, and methodical way.25

What are the benefits of scenario planning?

In a firm that has used scenario planning and is experiencing an attack (let’s call it Firm A), senior leadership will know their respective roles and be able to work together cohesively. They will know how and what to say to stakeholders, and will retain much of their positive regard among the public. By having done rigorous and creative scenario planning, Firm A had time to do thought experiments and brought on new software with even better capabilities. 

What are the consequences of procrastinating drills?

For an organization (Firm B) that has not used scenario planning to prepare for a cyber attack, the consequences can be potentially devastating. If senior members of Firm B don’t know what to do, they might not trust the guidance from a CISO and may try to jump in and help, ultimately creating chaos and distrust. When it comes to making a statement to stakeholders and the press, people may speak too soon, potentially saying the wrong thing and making the firm look out of control or under bad leadership.

Case Study: Shell

Outside of the lab, scenario planning has a significant impact on helping businesses prepare for the worst. An excellent example of this is Shell. In the late 1960s, Shell pioneered scenario planning, which has now been in use at the organization for more than 50 years.26 The firm doesn’t use this strategy to predict the future; rather, the reason why they excel is because they create connections between organizational processes and enable senior leadership to think about previously inconceivable situations.26

Given their preparedness, Shell was prepared for the 1973 oil crisis, and again later in 1981 during the outbreak of the Iran-Iraq war.27 Unlike other oil companies that had stockpiled oil reserves, Shell sold off its excesses before the price of oil plummeted.27

Understanding Our Biases to Protect Organizations

By running these drills, everyone in the organization becomes more aware of cybersecurity risks, which can help employees accurately value their privacy decisions and consequently make more effort to protect their information.7 This strategy directly addresses hyperbolic discounting and favorite-longshot bias by allowing participants to clearly visualize future risks and all that goes into their preparedness solutions.

To learn more about cybersecurity preparedness and scenario planning, see Strengthen Your Strategy with Cybersecurity by The Decision Lab and Boston Consulting Group. The report details two hypothetical scenarios for your organization to test-run in order to prepare employees for a worst-case scenario.

To hear more from Michael on cybersecurity, check out the Strengthen Your Strategy with Cybersecurity webinar, as well as his episode on scenario-planning on The Decision Corner

The Decision Lab is a behavioral consultancy that uses science to advance social good. In the digital age, cybercrime is a threat to all of us — and the root cause of most breaches is human error. We work with some of the most innovative minds in cybersecurity to help organizations navigate this risk by understanding & weeding out sources of bias. If you'd like to tackle this together, contact us.

References

  1. WHO reports fivefold increase in cyber attacks, urges vigilance. (2020, April 23). https://www.who.int/news/item/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance
  2. Enduring from home: COVID-19’s impact on business security. (2020). Malwarebytes. https://www.malwarebytes.com/resources/files/2020/08/malwarebytes_enduringfromhome_report_final.pdf
  3. Lukehart, A. (2022, January 4). 2022 Cyber Attack Statistics, Data, and Trends. https://parachute.cloud/2022-cyber-attack-statistics-data-and-trends/
  4. Turton, W., & Mehrotra, K. (2021, June 4). Hackers Breached Colonial Pipeline Using Compromised Password. Bloomberg. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
  5. Gibson, K., & Cerullo, M. (2021, May 13). Gas shortages worsen as fuel prices spike after Colonial Pipeline ransomware attack. CBS News. https://www.cbsnews.com/news/gas-prices-shortages-worsen-colonial-pipeline-ransomware-attack/
  6. Ranger, S. (2020, June 26). “The most stressful four hours of my career:” How it feels to be the victim of a hacking attack. ZDNet. https://www.zdnet.com/article/it-is-stressful-it-is-frightening-what-its-like-to-be-a-victim-of-hacking-and-ransomware/
  7. Wiederhold, B. (2014). The Role of Psychology in Enhancing Cybersecurity. Cyberpsychology, Behavior and Social Networking, 17, 131–132. https://doi.org/10.1089/cyber.2014.1502
  8. Cost of a Data Breach Report 2020. (2020). IBM Security.
  9. Cheng, J. Y.-J., & Groysberg, B. (2017, February 22). Why Boards Aren’t Dealing with Cyberthreats. Harvard Business Review. https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats
  10. Evans, D. (2012, June 21). Your Judgment of Risk Is Compromised. Harvard Business Review. https://hbr.org/2012/06/recognize-the-limits-of-judgme
  11. Patterson, D. (2021, May 19). Cybercrime is thriving during the pandemic, driven by surge in phishing and ransomware. CBS News. https://www.cbsnews.com/news/ransomware-phishing-cybercrime-pandemic/
  12. Pearlson, K., Thorson, B., Madnick, S., & Coden, M. (2021, March 9). Cyberattacks Are Inevitable. Is Your Company Prepared? Harvard Business Review. https://hbr.org/2021/03/cyberattacks-are-inevitable-is-your-company-prepared
  13. Garvin, D., & Levesque, L. (2005, November 17). A Note on Scenario Planning. Harvard Business Publishing. https://hbsp.harvard.edu/product/306003-PDF-ENG
  14. Iny, A., Khanna, S., Coden, M., & Struck, B. (2021). Strengthen Your Strategy with Cyber Scenarios. Boston Consulting Group & The Decision Lab. https://app.hubspot.com/documents/3834397/view/233481126?accessId=f10950
  15. Strengthen Your Strategy with Cyber Scenarios. (2021). [Video Conference Transcript]. https://app.hubspot.com/documents/3834397/view/268002968?accessId=622f3d
  16. Sheffer, C. E., Mackillop, J., Fernandez, A., Christensen, D., Bickel, W. K., Johnson, M. W., Panissidi, L., Pittman, J., Franck, C. T., Williams, J., & Mathew, M. (2016). Initial examination of priming tasks to decrease delay discounting. Behavioural Processes, 128, 144–152. https://doi.org/10.1016/j.beproc.2016.05.002
  17. Selsky, J. W., & McCann, J. E. (2008). Managing Disruptive Change and Turbulence through Continuous Change Thinking and Scenarios. In Business Planning for Turbulent Times (1st Edition, p. 20). Routledge. https://www.taylorfrancis.com/chapters/edit/10.4324/9781849770644-21/managing-disruptive-change-turbulence-continuous-change-thinking-scenarios-john-selsky-joseph-mccann
  18. Porter, M. (2011). Competitive Advantage of Nations: Creating and Sustaining Superior Performance. Simon and Schuster.
  19. Oliver, J. J., & Parrett, E. (2018). Managing future uncertainty: Reevaluating the role of scenario planning. Business Horizons, 61(2), 339–352. https://doi.org/10.1016/j.bushor.2017.11.013
  20. Hershfield, H., Goldstein, D., Sharpe, W., Fox, J., Yeykelis, L., Carstensen, L., & Bailenson, J. (2011). Increasing Saving Behavior Through Age-Progressed Renderings of the Future Self. JMR, Journal of Marketing Research, 48, S23–S37. https://doi.org/10.1509/jmkr.48.SPL.S23
  21. Jarzabkowski, P., & Kaplan, S. (2015). Strategy tools-in-use: A framework for understanding “technologies of rationality” in practice. Strategic Management Journal, 36(4), 537–558. https://doi.org/10.1002/smj.2270
  22. Schoemaker, P. J. H. (1995, January 15). Scenario Planning: A Tool for Strategic Thinking. MIT Sloan Management Review. https://sloanreview.mit.edu/article/scenario-planning-a-tool-for-strategic-thinking/
  23. Barber, M. (2009). Questioning Scenarios. Journal of Futures Studies, 13(3). https://jfsdigital.org/wp-content/uploads/2014/01/113-A04.pdf
  24. Hiltunen, E. (n.d.). Scenarios: Process and Outcome. Journal of Futures Studies, 13(3). Retrieved April 26, 2022, from https://jfsdigital.org/articles-and-essays/2009-2/vol-13-no-3-february/scenario-symposium/scenarios-process-and-outcome/
  25. Wright, G., O’Brien, F., Meadows, M., Tapinos, E., & Pyper, N. (2020). Scenario planning and foresight: Advancing theory and improving practice. Technological Forecasting and Social Change, 159, 120220. https://doi.org/10.1016/j.techfore.2020.120220
  26. Wilkinson, A., & Kupers, R. (2013, May 1). Living in the Futures. Harvard Business Review. https://hbr.org/2013/05/living-in-the-futures
  27. Wack, P. (1985, September 1). Scenarios: Uncharted Waters Ahead. Harvard Business Review. https://hbr.org/1985/09/scenarios-uncharted-waters-ahead

About the Authors

Lindsey Turk's portrait

Lindsey Turk

Lindsey Turk is a Summer Content Associate at The Decision Lab. She holds a Master of Professional Studies in Applied Economics and Management from Cornell University and a Bachelor of Arts in Psychology from Boston University. Over the last few years, she’s gained experience in customer service, consulting, research, and communications in various industries. Before The Decision Lab, Lindsey served as a consultant to the US Department of State, working with its international HIV initiative, PEPFAR. Through Cornell, she also worked with a health food company in Kenya to improve access to clean foods and cites this opportunity as what cemented her interest in using behavioral science for good.

Michael Coden

Michael Coden

Named #6 in “The Top 50 Cybersecurity Leaders of 2021” by The Consulting Report for innovative contributions to cybersecurity, Michael advises Boards, CEOs, C-suites, and CISOs on IT, OT, and Product cybersecurity strategy, implementation, and resilience.

Dan Pilat's portrait

Dan Pilat

Dan is a Co-Founder and Managing Director at The Decision Lab. He has a background in organizational decision making, with a BComm in Decision & Information Systems from McGill University. He has worked on enterprise-level behavioral architecture at TD Securities and BMO Capital Markets, where he advised management on the implementation of systems processing billions of dollars per week. Driven by an appetite for the latest in technology, Dan created a course on business intelligence and lectured at McGill University, and has applied behavioral science to topics such as augmented and virtual reality.

Brooke Struck portrait

Dr. Brooke Struck

Dr. Brooke Struck is the Research Director at The Decision Lab. He is an internationally recognized voice in applied behavioural science, representing TDL’s work in outlets such as Forbes, Vox, Huffington Post and Bloomberg, as well as Canadian venues such as the Globe & Mail, CBC and Global Media. Dr. Struck hosts TDL’s podcast “The Decision Corner” and speaks regularly to practicing professionals in industries from finance to health & wellbeing to tech & AI.

Read Next

Notes illustration

Eager to learn about how behavioral science can help your organization?