WEBVTT

1
00:00:00.000 --> 00:00:01.170
In this lesson,

2
00:00:01.170 --> 00:00:03.750
we will learn about impact analysis.

3
00:00:03.750 --> 00:00:06.660
Impact analysis in enterprise risk management

4
00:00:06.660 --> 00:00:09.750
involves evaluating the potential consequences

5
00:00:09.750 --> 00:00:13.950
of identified risks on organizational operations, assets,

6
00:00:13.950 --> 00:00:15.360
and objectives.

7
00:00:15.360 --> 00:00:17.190
This process quantifies

8
00:00:17.190 --> 00:00:20.820
how adverse events could affect business continuity,

9
00:00:20.820 --> 00:00:23.580
financial performance, and compliance,

10
00:00:23.580 --> 00:00:26.460
thereby enabling informed decision making

11
00:00:26.460 --> 00:00:29.850
and prioritization of risk mitigation efforts.

12
00:00:29.850 --> 00:00:32.940
Impact analysis can be thought of in five steps.

13
00:00:32.940 --> 00:00:36.870
These steps are identify and analyze the events,

14
00:00:36.870 --> 00:00:38.790
evaluate impact,

15
00:00:38.790 --> 00:00:40.500
develop scenarios,

16
00:00:40.500 --> 00:00:42.060
assess the outcomes,

17
00:00:42.060 --> 00:00:44.640
and implement mitigation strategies.

18
00:00:44.640 --> 00:00:47.520
Let's explore each of these in more detail.

19
00:00:47.520 --> 00:00:51.390
First, we identify and analyze the extreme scenarios

20
00:00:51.390 --> 00:00:53.400
that could realistically happen,

21
00:00:53.400 --> 00:00:55.680
and that could have severe consequences.

22
00:00:55.680 --> 00:00:58.350
For example, imagine a cyber attack

23
00:00:58.350 --> 00:01:02.070
that completely locks down the organization's critical data,

24
00:01:02.070 --> 00:01:04.020
such as a ransomware attack

25
00:01:04.020 --> 00:01:05.280
or a natural disaster,

26
00:01:05.280 --> 00:01:06.690
such as a massive hurricane

27
00:01:06.690 --> 00:01:09.570
that damages the company's main data center.

28
00:01:09.570 --> 00:01:10.920
Both of these scenarios

29
00:01:10.920 --> 00:01:14.160
could disrupt our operations for weeks.

30
00:01:14.160 --> 00:01:17.460
Second, we evaluate the key business assets

31
00:01:17.460 --> 00:01:21.360
or processes that would be impacted by these scenarios.

32
00:01:21.360 --> 00:01:23.520
In the case of a ransomware attack,

33
00:01:23.520 --> 00:01:27.420
the key asset at risk would include our organization's data,

34
00:01:27.420 --> 00:01:30.870
customer information, and operational systems.

35
00:01:30.870 --> 00:01:32.730
If that data was not accessible

36
00:01:32.730 --> 00:01:34.380
because of the ransomware,

37
00:01:34.380 --> 00:01:37.740
business processes like billing, customer service,

38
00:01:37.740 --> 00:01:40.830
and order fulfillment could grind to a halt.

39
00:01:40.830 --> 00:01:42.930
In the natural disaster scenario,

40
00:01:42.930 --> 00:01:45.900
the main data center houses essential hardware

41
00:01:45.900 --> 00:01:47.550
and backup systems.

42
00:01:47.550 --> 00:01:48.960
If that building is damaged

43
00:01:48.960 --> 00:01:50.820
or rendered inoperable,

44
00:01:50.820 --> 00:01:53.010
the entire company could lose access

45
00:01:53.010 --> 00:01:55.230
to critical applications and data,

46
00:01:55.230 --> 00:01:58.530
severely impacting our business continuity.

47
00:01:58.530 --> 00:02:02.970
Third, we develop realistic scenarios based on those threats

48
00:02:02.970 --> 00:02:04.860
and potential impacts.

49
00:02:04.860 --> 00:02:06.330
For the ransomware attack,

50
00:02:06.330 --> 00:02:09.900
we imagine a situation where hackers infiltrate the system

51
00:02:09.900 --> 00:02:11.160
through a phishing email,

52
00:02:11.160 --> 00:02:13.290
gain access to sensitive information,

53
00:02:13.290 --> 00:02:16.320
and then encrypt critical data across our network.

54
00:02:16.320 --> 00:02:18.900
This forces the company into a position

55
00:02:18.900 --> 00:02:21.180
where we must either pay the ransom

56
00:02:21.180 --> 00:02:23.370
or lose access to vital data

57
00:02:23.370 --> 00:02:26.880
for an extended period of time, maybe forever.

58
00:02:26.880 --> 00:02:28.830
For the natural disaster scenario,

59
00:02:28.830 --> 00:02:31.800
we can envision the hurricane flooding the data center,

60
00:02:31.800 --> 00:02:34.530
leading to widespread hardware failure,

61
00:02:34.530 --> 00:02:37.680
and a significant delay in restoring backups

62
00:02:37.680 --> 00:02:41.220
because our physical infrastructure has been damaged.

63
00:02:41.220 --> 00:02:44.880
Fourth, we assess the outcomes of each scenario,

64
00:02:44.880 --> 00:02:48.480
looking at the ripple effects across the organization.

65
00:02:48.480 --> 00:02:50.010
In the ransomware attack,

66
00:02:50.010 --> 00:02:52.320
the immediate outcome is the inability

67
00:02:52.320 --> 00:02:54.270
to access important data,

68
00:02:54.270 --> 00:02:56.550
leading to operational downtime,

69
00:02:56.550 --> 00:03:00.240
financial losses, and potentially damaged customer trust.

70
00:03:00.240 --> 00:03:02.730
If the company cannot retrieve its data quickly,

71
00:03:02.730 --> 00:03:04.980
it might also face regulatory fines

72
00:03:04.980 --> 00:03:07.380
for not meeting compliance standards.

73
00:03:07.380 --> 00:03:09.420
In the case of the natural disaster,

74
00:03:09.420 --> 00:03:10.860
the damage to the data center

75
00:03:10.860 --> 00:03:13.050
could delay business operations,

76
00:03:13.050 --> 00:03:15.300
require costly hardware replacements,

77
00:03:15.300 --> 00:03:18.600
and lead to a prolonged recovery process.

78
00:03:18.600 --> 00:03:21.930
The ripple effect here includes missed deadlines,

79
00:03:21.930 --> 00:03:23.550
loss of customer confidence,

80
00:03:23.550 --> 00:03:27.840
and significant costs associated with relocating operations

81
00:03:27.840 --> 00:03:29.670
and restoring services.

82
00:03:29.670 --> 00:03:31.260
Fifth, and finally,

83
00:03:31.260 --> 00:03:33.930
we recommend specific mitigation strategies

84
00:03:33.930 --> 00:03:37.950
or controls to reduce the damage if these scenarios occur.

85
00:03:37.950 --> 00:03:39.360
For the ransomware attack,

86
00:03:39.360 --> 00:03:41.520
mitigation steps could include:

87
00:03:41.520 --> 00:03:43.440
implementing backup protocols,

88
00:03:43.440 --> 00:03:45.960
regular employee training on phishing attacks,

89
00:03:45.960 --> 00:03:48.960
and installing advanced threat detection software.

90
00:03:48.960 --> 00:03:52.170
This would ensure that even in the event of an attack,

91
00:03:52.170 --> 00:03:55.230
the company could quickly restore its systems without having

92
00:03:55.230 --> 00:03:56.340
to pay the ransom,

93
00:03:56.340 --> 00:03:59.880
or could maybe even prevent the attack in the first place.

94
00:03:59.880 --> 00:04:01.800
In the case of the natural disaster,

95
00:04:01.800 --> 00:04:03.120
mitigation could involve

96
00:04:03.120 --> 00:04:06.390
having an offsite backup data center located far

97
00:04:06.390 --> 00:04:08.430
from areas prone to hurricanes,

98
00:04:08.430 --> 00:04:11.430
implementing cloud-based data access redundancy,

99
00:04:11.430 --> 00:04:15.030
and developing a clear disaster recovery plan that allows

100
00:04:15.030 --> 00:04:17.850
for a quick restoration of services.

101
00:04:17.850 --> 00:04:20.850
Both scenarios highlight the importance of planning

102
00:04:20.850 --> 00:04:22.230
to ensure resilience

103
00:04:22.230 --> 00:04:25.680
in the face of extreme, yet plausible, risks.

104
00:04:25.680 --> 00:04:27.870
As you can see, this type of planning

105
00:04:27.870 --> 00:04:30.570
can get really in depth really quickly.

106
00:04:30.570 --> 00:04:33.150
Most of this type of planning takes a team

107
00:04:33.150 --> 00:04:34.530
of security professionals

108
00:04:34.530 --> 00:04:37.410
who consider the problem from various perspectives

109
00:04:37.410 --> 00:04:39.960
to truly create a holistic solution

110
00:04:39.960 --> 00:04:42.480
to adequately minimize the risk.

111
00:04:42.480 --> 00:04:45.360
In this lesson, we covered just a quick overview

112
00:04:45.360 --> 00:04:46.800
of that process,

113
00:04:46.800 --> 00:04:49.110
but you are going to get much more in depth with this

114
00:04:49.110 --> 00:04:51.660
when you start working on these types of problems

115
00:04:51.660 --> 00:04:53.190
in the real world.

116
00:04:53.190 --> 00:04:54.840
So remember,

117
00:04:54.840 --> 00:04:57.300
impact analysis helps organizations

118
00:04:57.300 --> 00:04:59.370
assess the potential consequences

119
00:04:59.370 --> 00:05:03.570
of major risks to operations, assets, and objectives.

120
00:05:03.570 --> 00:05:05.400
This process identifies

121
00:05:05.400 --> 00:05:07.890
and analyzes extreme scenarios,

122
00:05:07.890 --> 00:05:11.010
evaluating the impact on critical assets,

123
00:05:11.010 --> 00:05:14.670
developing realistic scenarios based on those risks,

124
00:05:14.670 --> 00:05:16.380
assessing the outcomes,

125
00:05:16.380 --> 00:05:19.080
and implementing mitigation strategies.

126
00:05:19.080 --> 00:05:22.050
For example, scenarios like a ransomware attack

127
00:05:22.050 --> 00:05:23.460
or a natural disaster

128
00:05:23.460 --> 00:05:26.220
could severely disrupt business operations.

129
00:05:26.220 --> 00:05:28.110
Once the risks are understood,

130
00:05:28.110 --> 00:05:30.840
organizations can determine their ripple effects,

131
00:05:30.840 --> 00:05:33.180
such as downtime, financial loss,

132
00:05:33.180 --> 00:05:35.190
and damaged customer trust.

133
00:05:35.190 --> 00:05:37.800
By planning and applying mitigation measures,

134
00:05:37.800 --> 00:05:40.830
companies can minimize damage and ensure resilience

135
00:05:40.830 --> 00:05:44.133
against extreme, yet plausible, threats.