How to Run Scenario Planning Drills: A Cybersecurity Risk Management Solution
WFH presents new risks for cybersecurity
Scammers are taking advantage of workforce changes resulting from the pandemic,1 including the switch to WFH: in 2020, 20% of companies said they had a security breach as a result of an employee working remotely.2
This rise in cyberattacks is costing companies, with the average cost of a data breach increasing from $3.86 million USD in 2020 to $4.24 million USD in 2021.3 Prior to the pandemic, hackers focused on larger corporations and governments. However, as employees have begun to work from home, they have unwittingly become the newest targets.
The widespread consequences of an organizational cyberattack
As headlines have heralded in the last few months, cyberattacks affect more than just the victim. Take the Colonial Pipeline hack of 2021, which caused widespread panic and led to gas shortages from Texas to the Northeast.4 After the company paid a ransom of $4.4 million USD and began to return to business as usual,4 the hack had significant impacts for the people living in these states, as an estimated 1,800 gas stations ran out of fuel and national average gas prices jumped to their highest since October 2014.5
Cyberattacks damage not only pocketbooks and consumers, but also the wellbeing of employees. Research shows that victims of cybercrimes feel as violated as if it were a physical attack - they report feelings of rage, shame, isolation and fear,6 and they experience symptoms similar to Post-Traumatic Stress Disorder (PTSD).7
Lack of preparation increases the cost of a breach by $3.58 million USD
Preparation can mitigate the worst impacts: for organizations with fully deployed security operations, the average cost of a data breach is $2.45 million USD; for those that are not up-to-date or idling, the average cost was $6.03 million USD.8
However, even though preparation yields notable dividends, organizations are unprepared because leadership often underestimates the risks of cyber attacks and tend to focus on temporally salient priorities - a behavioral tendency known as hyperbolic discounting.
Hyperbolic discounting diminishes cybersecurity preparation
We often delay preparation for events, especially when the probabilities of the event are low, in favor of tasks that are top-of-mind. Hyperbolic discounting, defined as our tendency to prefer immediate rewards over future ones, helps us understand the disconnect between comprehension of the risks and preparation for an attack. In a survey of 5,000 directors, only 38% reported feeling significantly concerned about cybersecurity risks, and even fewer felt that they were prepared.9
It’s clear that the majority of directors prefer to face issues that are front and center now, rather than deal with an issue that might arise later on. Given that cyber attacks have become more frequent and more severe in the last few years, mitigating hyperbolic discounting would help your organization better prepare for future risks.
References
- WHO reports fivefold increase in cyber attacks, urges vigilance. (2020, April 23). https://www.who.int/news/item/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance
- Enduring from home: COVID-19’s impact on business security. (2020). Malwarebytes. https://www.malwarebytes.com/resources/files/2020/08/malwarebytes_enduringfromhome_report_final.pdf
- Lukehart, A. (2022, January 4). 2022 Cyber Attack Statistics, Data, and Trends. https://parachute.cloud/2022-cyber-attack-statistics-data-and-trends/
- Turton, W., & Mehrotra, K. (2021, June 4). Hackers Breached Colonial Pipeline Using Compromised Password. Bloomberg. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
- Gibson, K., & Cerullo, M. (2021, May 13). Gas shortages worsen as fuel prices spike after Colonial Pipeline ransomware attack. CBS News. https://www.cbsnews.com/news/gas-prices-shortages-worsen-colonial-pipeline-ransomware-attack/
- Ranger, S. (2020, June 26). “The most stressful four hours of my career:” How it feels to be the victim of a hacking attack. ZDNet. https://www.zdnet.com/article/it-is-stressful-it-is-frightening-what-its-like-to-be-a-victim-of-hacking-and-ransomware/
- Wiederhold, B. (2014). The Role of Psychology in Enhancing Cybersecurity. Cyberpsychology, Behavior and Social Networking, 17, 131–132. https://doi.org/10.1089/cyber.2014.1502
- Cost of a Data Breach Report 2020. (2020). IBM Security.
- Cheng, J. Y.-J., & Groysberg, B. (2017, February 22). Why Boards Aren’t Dealing with Cyberthreats. Harvard Business Review. https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats
- Evans, D. (2012, June 21). Your Judgment of Risk Is Compromised. Harvard Business Review. https://hbr.org/2012/06/recognize-the-limits-of-judgme
- Patterson, D. (2021, May 19). Cybercrime is thriving during the pandemic, driven by surge in phishing and ransomware. CBS News. https://www.cbsnews.com/news/ransomware-phishing-cybercrime-pandemic/
- Pearlson, K., Thorson, B., Madnick, S., & Coden, M. (2021, March 9). Cyberattacks Are Inevitable. Is Your Company Prepared? Harvard Business Review. https://hbr.org/2021/03/cyberattacks-are-inevitable-is-your-company-prepared
- Garvin, D., & Levesque, L. (2005, November 17). A Note on Scenario Planning. Harvard Business Publishing. https://hbsp.harvard.edu/product/306003-PDF-ENG
- Iny, A., Khanna, S., Coden, M., & Struck, B. (2021). Strengthen Your Strategy with Cyber Scenarios. Boston Consulting Group & The Decision Lab. https://app.hubspot.com/documents/3834397/view/233481126?accessId=f10950
- Strengthen Your Strategy with Cyber Scenarios. (2021). [Video Conference Transcript]. https://app.hubspot.com/documents/3834397/view/268002968?accessId=622f3d
- Sheffer, C. E., Mackillop, J., Fernandez, A., Christensen, D., Bickel, W. K., Johnson, M. W., Panissidi, L., Pittman, J., Franck, C. T., Williams, J., & Mathew, M. (2016). Initial examination of priming tasks to decrease delay discounting. Behavioural Processes, 128, 144–152. https://doi.org/10.1016/j.beproc.2016.05.002
- Selsky, J. W., & McCann, J. E. (2008). Managing Disruptive Change and Turbulence through Continuous Change Thinking and Scenarios. In Business Planning for Turbulent Times (1st Edition, p. 20). Routledge. https://www.taylorfrancis.com/chapters/edit/10.4324/9781849770644-21/managing-disruptive-change-turbulence-continuous-change-thinking-scenarios-john-selsky-joseph-mccann
- Porter, M. (2011). Competitive Advantage of Nations: Creating and Sustaining Superior Performance. Simon and Schuster.
- Oliver, J. J., & Parrett, E. (2018). Managing future uncertainty: Reevaluating the role of scenario planning. Business Horizons, 61(2), 339–352. https://doi.org/10.1016/j.bushor.2017.11.013
- Hershfield, H., Goldstein, D., Sharpe, W., Fox, J., Yeykelis, L., Carstensen, L., & Bailenson, J. (2011). Increasing Saving Behavior Through Age-Progressed Renderings of the Future Self. JMR, Journal of Marketing Research, 48, S23–S37. https://doi.org/10.1509/jmkr.48.SPL.S23
- Jarzabkowski, P., & Kaplan, S. (2015). Strategy tools-in-use: A framework for understanding “technologies of rationality” in practice. Strategic Management Journal, 36(4), 537–558. https://doi.org/10.1002/smj.2270
- Schoemaker, P. J. H. (1995, January 15). Scenario Planning: A Tool for Strategic Thinking. MIT Sloan Management Review. https://sloanreview.mit.edu/article/scenario-planning-a-tool-for-strategic-thinking/
- Barber, M. (2009). Questioning Scenarios. Journal of Futures Studies, 13(3). https://jfsdigital.org/wp-content/uploads/2014/01/113-A04.pdf
- Hiltunen, E. (n.d.). Scenarios: Process and Outcome. Journal of Futures Studies, 13(3). Retrieved April 26, 2022, from https://jfsdigital.org/articles-and-essays/2009-2/vol-13-no-3-february/scenario-symposium/scenarios-process-and-outcome/
- Wright, G., O’Brien, F., Meadows, M., Tapinos, E., & Pyper, N. (2020). Scenario planning and foresight: Advancing theory and improving practice. Technological Forecasting and Social Change, 159, 120220. https://doi.org/10.1016/j.techfore.2020.120220
- Wilkinson, A., & Kupers, R. (2013, May 1). Living in the Futures. Harvard Business Review. https://hbr.org/2013/05/living-in-the-futures
- Wack, P. (1985, September 1). Scenarios: Uncharted Waters Ahead. Harvard Business Review. https://hbr.org/1985/09/scenarios-uncharted-waters-ahead
About the Authors
Lindsey Turk
Lindsey Turk is a Summer Content Associate at The Decision Lab. She holds a Master of Professional Studies in Applied Economics and Management from Cornell University and a Bachelor of Arts in Psychology from Boston University. Over the last few years, she’s gained experience in customer service, consulting, research, and communications in various industries. Before The Decision Lab, Lindsey served as a consultant to the US Department of State, working with its international HIV initiative, PEPFAR. Through Cornell, she also worked with a health food company in Kenya to improve access to clean foods and cites this opportunity as what cemented her interest in using behavioral science for good.
Michael Coden
Named #6 in “The Top 50 Cybersecurity Leaders of 2021” by The Consulting Report for innovative contributions to cybersecurity, Michael advises Boards, CEOs, C-suites, and CISOs on IT, OT, and Product cybersecurity strategy, implementation, and resilience.
Dan Pilat
Dan is a Co-Founder and Managing Director at The Decision Lab. He is a bestselling author of Intention - a book he wrote with Wiley on the mindful application of behavioral science in organizations. Dan has a background in organizational decision making, with a BComm in Decision & Information Systems from McGill University. He has worked on enterprise-level behavioral architecture at TD Securities and BMO Capital Markets, where he advised management on the implementation of systems processing billions of dollars per week. Driven by an appetite for the latest in technology, Dan created a course on business intelligence and lectured at McGill University, and has applied behavioral science to topics such as augmented and virtual reality.
Dr. Brooke Struck
Dr. Brooke Struck is the Research Director at The Decision Lab. He is an internationally recognized voice in applied behavioural science, representing TDL’s work in outlets such as Forbes, Vox, Huffington Post and Bloomberg, as well as Canadian venues such as the Globe & Mail, CBC and Global Media. Dr. Struck hosts TDL’s podcast “The Decision Corner” and speaks regularly to practicing professionals in industries from finance to health & wellbeing to tech & AI.
About us
We are the leading applied research & innovation consultancy
Our insights are leveraged by the most ambitious organizations
“
I was blown away with their application and translation of behavioral science into practice. They took a very complex ecosystem and created a series of interventions using an innovative mix of the latest research and creative client co-creation. I was so impressed at the final product they created, which was hugely comprehensive despite the large scope of the client being of the world's most far-reaching and best known consumer brands. I'm excited to see what we can create together in the future.
Heather McKee
BEHAVIORAL SCIENTIST
GLOBAL COFFEEHOUSE CHAIN PROJECT
OUR CLIENT SUCCESS
$0M
Annual Revenue Increase
By launching a behavioral science practice at the core of the organization, we helped one of the largest insurers in North America realize $30M increase in annual revenue.
0%
Increase in Monthly Users
By redesigning North America's first national digital platform for mental health, we achieved a 52% lift in monthly users and an 83% improvement on clinical assessment.
0%
Reduction In Design Time
By designing a new process and getting buy-in from the C-Suite team, we helped one of the largest smartphone manufacturers in the world reduce software design time by 75%.
0%
Reduction in Client Drop-Off
By implementing targeted nudges based on proactive interventions, we reduced drop-off rates for 450,000 clients belonging to USA's oldest debt consolidation organizations by 46%