Five key elements for creating an op risk scenario storyline

  • 4 September 2019
By Giuseppe Aloi, Scenario Programme Manager

Creating scenario storylines is a vital part of scenario assessment. However, it can be a challenge to know if you’ve designed a good storyline – how do you know you’ve covered everything you need to?

Using cyber-related data breach as an example, in this blog I'll take you through the five elements you need to think about when you're creating a scenario storyline. My examples are taken from the scenario cyber handbook, which is provided as part of an ORX Scenarios subscription. The handbook walks you through the steps for developing, assessing and refreshing a cyber-related data breach storyline in detail, but let’s focus on what you need to think about in the development stage now.

Developing a cyber-related data breach story

When you’re creating a storyline for a cyber-related data breach, there are five things you need to consider:

  1. Who?
  2. What?
  3. How?
  4. Motivation?
  5. What failed?

Which of these elements you start with is usually chosen by scenario practitioners and the operational risk management team. It may also be driven by internal methodologies and procedures. I’ll start with ‘who’ and work through from there.

The five key elements for creating a cyber-related data breach scenario

ORX five key elements for creating a cyber data breach scenario storyline

Developing a scenario storyline: Who

The ‘who’ refers to who perpetrates the cyber data breach. This is commonly referred to as the ‘actor’. It could be an individual person or a group of people working together. Common examples of actors in a cyber data breach scenario include:

  • Former employees
  • Current employees
  • Employees of a third-party provider
  • A criminal organisation
  • A nation state

Think about what it is that enables that specific actor to commit the data breach. For example, a former employee may still be able access certain systems, or a criminal organisation might be experienced in committing that specific type of cyber-attack.

Developing a scenario storyline: What

The ‘what’ stage is all about the type of data that might be stolen from the firm, such as:

  • Trade information
  • Employee information
  • Customer data
  • Health information

Try to understand what the impact would be of the loss of the different types of data. This could be a legal repercussion such as a class action lawsuit, a fine from a regulator, or reputational impact.

It is important that you think about how sensitive or critical the data is when you’re working out what could be compromised. This will help you estimate the overall impact.

Developing a scenario storyline: How

This is the technique that is used to get access to the data. There’s an almost endless list of cyber-attack methods, but some of the main ones include:

  • Phishing
  • Web-based attacks
  • Malware
  • Ransomware

The techniques can be used by actors both inside and outside your organisation. Don’t forget, someone from outside your organisation can use ‘social engineering’ to manipulate your colleagues into performing specific actions or disclosing confidential information. You can find out more about social engineering here.

Developing a scenario storyline: Motivation

Once you’ve identified the actor(s) in your scenario, you need to think about their motivations. Going back to my earlier examples, the motivations of a former employee could be payback for losing their job, while a criminal organisation might want to sell the stolen information for profit. Other potential motivations could be to commit fraud, ransoms or, in the case of a nation state, political.

Developing a scenario storyline: What failed?

Now you know the ‘how’, the ‘what and the ‘who’, you can work out what controls failed (or weren’t in place), allowing the breach to happen. The failures could be around internal processes, vendor controls of IT systems, for example:

  • Firewall
  • Access management
  • Vulnerability test
  • Data leakage prevention

Controls can be split into two different categories – preventative and detective. Preventative controls would stop the breach, while detective controls would identify that it occurred.

How do I know if my storyline is realistic?

Now you have all the elements you need to create your cyber-related data breach scenario storyline. The best way to see if its realistic, is either to compare it to real life losses or to scenarios from other financial services companies. Services like ORX News, which gathers news stories about operational risk losses experienced around the world, can be useful here as a sense check. These types of news services let you see how close your storyline is to what has happened in real life situations, and help you assess the likelihood and severity of the event. 

Alternatively, if you're a subscriber to ORX Scenarios you can access our scenario library. The scenario library gives you access to more than 1000 real scenarios submitted by other institutions who subscribe to the service.

Tell me more about ORX Scenarios

Looking for more information about cyber risk?

Find out more about the ORX cyber and information security risk programme.

ORX cyber programme