INTRODUCTION 

 

Every year, the World Economic Forum (WEF) draws up a report (World Economic Forum Global Risk Report) on the risks to which the business world is exposed; these also include cyber-related risks. In particular, one of the risks with the highest ranking, in terms of probability and impact, has consequences for the continuity of corporate business: we are talking about cyber attacks. 

 

 

Risk assessment 

The WEF assessment is influenced by several factors: as far as the economic impact of an attack is concerned, this changes per industry with a minimum of $2m for the public sector to over $9m for the health sector (IBM Security Report). These numbers represent the average cost incurred by various companies to manage cyber attacks. 

As far as probability is concerned, there are many factors that influence it. First of all, the high availability of hacking and attack tools and services, which can be found online even free of charge, increase the audience of cyber criminals, reaching even those segments of the population with average technical skills. In addition to these, there are real companies that have been set up with the aim of attacking and hacking various industries on a planetary level with one main purpose: profit. In fact, the turnover of these crime companies is exorbitant (millions and millions of dollars), constantly growing and with staggering returns on investments. 

In addition to intentional attacks, another major risk to business continuity comes from natural events as well as malicious or accidental actions by internal personnel. 

 

The aforementioned events all have the characteristic of being potentially extremely dangerous for the continuation of the company’s business, a factor that adds up to the huge costs of managing and remedying the disaster; costs that are not only related to the damage from missing business, but which also include costs arising from having to restore systems, deal with legal action, penalties, image damage, etc. 

 

Risk Management 

In this context, it is therefore fundamental for every company to be prepared and ready to handle crisis situations. 

Preparation starts with the formal aspects including formalised and up-to-date business continuity and disaster recovery plans, which must be defined according to actual business needs. 

However, being prepared to manage a disaster is a matter of skills (knowledge of procedures) and testing (testing and practising emergency management), both of which feed off each other in a virtuous circle that has the practical exercise of procedures at its centre. 

But most companies often focus their attention on testing the technical components of the procedures; for example, verifying that the restart sequence of systems works, as well as the recovery of systems or applications. 

Although these checks are obviously important, there is one part of the procedures that is rarely tested, even though it is just as relevant, and it concerns organisational and decision-making aspects; that is, the testing of the knowledge of continuity management processes, the ability to make decisions according to procedure in stressful situations, and the management of communications with external bodies (press/media, customers, suppliers, law enforcement agencies, regulatory authorities, etc.). 

 

To approach this issue, we provide our customers with an innovative solution based on an immersive simulation platform, called Cyber Jumanji. 

Cyber Jumanji allows to simulate any crisis situation in a realistic way in order to 

  • verify the completeness and correctness of the procedures 
  • verify the knowledge of the procedures of the involved roles; 
  • train emergency management teams in the management of adverse situations. 

 

Cyber Jumanji is a simple and intuitive-to-use platform that can be accessed fully online so that all participants can carry out their tasks from their own offices or from anywhere there is a browser. 

Cyber Jumanji allows the simulation of a crisis situation where each component and/or each team involved is engaged in a role play, in which they can play their professional role or another one assigned in the configuration phase (such as – for example – customers, competitors, stakeholders, authorities, other internal roles, etc.) with the aim of solving strategic challenges in a collaborative way. 

As in the real world, all participants act in a concurrent and simultaneous manner, without having all the information they would need to fully understand what is actually happening and to manage external factors that are usually out of their control. 

Only at the end of a simulation cycle each team member involved in the simulation will be able to verify and evaluate the effects that their own decisions and actions have had in combination with those of the other team members. 

 

How does Cyber Jumanji work? 

It consists of three main elements: 

  1. The configurator of the procedure to be simulated: the configuration activity is in charge of the Innovery team of consultants and is carried out following agreements with the customer aimed at defining the procedure to be tested and defining the characteristics of the specific test scenario (for example, the activation of a Disaster Recovery plan can be triggered equally by a fire, an earthquake, flooding, etc.). – different situations that must be specifically handled, but which lead to the activation of the same plan);
  2. The Simulator: it is the component that effectively manages the simulation; each participant must access the system and react to the proposed inputs according to his or her role, skills and knowledge of the provided company procedure;
  3. Analytics: this component – used by the Innovery team – collects information about the simulation and organises it into various graphic representations, which highlight the strengths and weaknesses detected during the simulation. The identified elements are then interpreted and shared with both the team that participated in the simulation and the client, each one for the part of their interest.

 

During the simulation, the platform subjects the participants to situations to be managed and/or unexpected events, as normally happens in the reality during crisis situations, in order to assess the appropriateness of the procedure, the responsiveness of people and their ability to handle stressful situations. 

In addition, it is possible to submit questionnaires or requests for analysis and decision-making that highlight the level of knowledge and governance of the emergency situation, as well as the ability to carry out precise analyses to identify solutions to unexpected situations. 

The ability to simulate the presence of roles commonly not involved in continuity tests (such as journalists, law enforcement agencies, regulatory authorities as well as corporate top management) allows demands to be made that induce pressure and stress on participants, just as happens in reality. This feature makes the simulation rather real. 

 

The roles envisaged 

The simulation involves the participation of three roles described below: 

  1. Active roles: these are the roles that actively participate in the simulation, they are called on to analyse situations, make decisions, interact with each other and with the represented roles. Each active role represents a function of the procedure and can be played by the person actually performing that function in the company or by another person. Each active role is provided with login credentials to be used for the simulation; the profile associated with the credentials corresponds to the role to be performed.
  2. Represented roles: Represented roles: these are the roles for which it is not possible to involve a real person, but which are necessary for the proper carrying out of the procedure; for example, the following are usually represented roles: the press, law enforcement agencies, regulatory authorities (Banca d’Italia, IVASS, etc.), high-level corporate persons who cannot be involved in the activity, etc. The represented roles are ruled by the simulation manager.
  3. Simulation manager: is an operational role managing the simulation process. It sends initial and final communications, interprets the represented roles, triggers and manages the simulation elements of stressful situations. This role is performed by Innovery team personnel.

 

 

Objectives and Results 

Regardless of the specific interest in an isolated scenario, conducting a crisis simulation provides valuable information on the solidity, completeness and applicability of the simulated procedure and the team’s full knowledge of it. 

Moreover, participants in the simulations develop skills, reaction capabilities and insights relevant to achieving the goal; this would be difficult to obtain with other, more conventional methodologies. 

 

Following the simulation, an analysis report is produced on: 

  • the evaluation of the completeness and correctness of the simulated procedure; 
  • the assessment of the knowledge of and compliance with the procedures by the involved team. 

 

In addition to the exercise itself, the simulation results in the writing of a report that accurately represents the characteristics of the simulation as well as the results obtained. The analysis is supported by the observations made during the simulation and the reporting generated by Cyber Jumanji, which is able to objectively highlight the problems encountered. 

 

The report is then completed by a proposal for a remediation plan useful for dealing with the problems encountered. 

 

 

Simulation 

The simulation is constructed from the defined operational policies/procedures; in the absence of these, it is necessary to have even a verbal description of the modus operandi in case of an emergency. 

Afterwards, it is necessary to precisely define the scenario to be simulated; e.g. ransomware attack on an employee’s PC, DDOS attack to a website, earthquake inhibiting the access to a building/office, etc., together with the real and represented participants. It is suggested that the scenario is not shared with the participants in order to have the surprise effect that there is also in the reality. 

 

The simulations last on average 2 to 3 hours, which corresponds to the commitment required to the participants. 

Simona Costa
Senior Security Advisor, Innovery