Horizon Scanning: A Beginner’s Guide

By

“Horizon scanning is a technique for detecting early signs of potentially important developments through a systematic examination of potential threats and opportunities, with emphasis on new technology and its effects on the issue at hand.”

With the world interconnected than ever before, an event in one place has the power to impact people across the world. Recently when a ship was stuck in the Suez canal, it resulted in shipping delays and the loss of millions of dollars. This event further created sub-events of its own and impacted in ways we are yet to identify. Volatility in Dow Jones affects the Asian markets and climate crisis in a country has the potential to increase the prices for consumers across the world.

Despite the efforts of witches and mages throughout the ages, the future can never be accurately foretold. In our modern world, our organizations turn to risk management as the latter-day shaman to divine the potential pitfalls and opportunities lurking in the midst of tomorrow. While there are a number of techniques out there, it is horizon scanning that has become the buzzword of the modern organization.

A policy paper “Interim cybersecurity science and technology strategy” published by the Government of the UK mentions Horizon scanning as one of the main techniques to remain effective in the world order. It also emphasizes that UK Government needs to mainstream the use of horizon scanning to inform cybersecurity policymaking. It ends by establishing trust in this risk management technique by mentioning “We will design in independent assurance to make sure that our horizon scanning capability is truly comprehensive and of a world-class capability and to ensure that NCSC’s views are properly incorporated into policymaking.” 

Another policy paper titled “Cyber Threats and NATO 2030: Horizon Scanning and Analysis” is in a way of applying this technique and showing the risks that we could face from a cybersecurity perspective.

Horizon Scanning

Given the focus of governments over this technique, especially for establishing its cybersecurity strategy, it calls for a deep understanding of this technique. Horizon scanning can be a good technique for people to look at complexity, challenge assumptions, and review multiple ways that events could unfurl to increase the resilience and reliability of their organizations.

It is not about trying to predict the future but rather reviewing options to make evidence-based decisions. 

Horizon scanning is a systematic method for:

• spotting potential causes of uncertainty

• ensuring adequate preparation

• exploiting opportunities and

• surviving threats

The operationalization of the process above may take the shape illustrated in the following graphic: 


Some of you may opinion that this is just an old approach to risk management. You identify the key stakeholders and discuss with them to identify the risks faced by the organization. However, look closely and you may identify the differences. The focus of this approach is for you to look at the horizon. 

We need to understand two terms at this point to further deep dive into this process. 

Risk can only be managed when the information needed for ‘management’ is available; explicit consideration of this requirement is an important part of the process. As the detail of the risk becomes clearer, the relationship between the possible risk event and the timing of usable management information also becomes clearer.

Where the rate of information needed to manage risk (either a threat or an opportunity) is available in good time before the event is expected, detailed management steps can be put in place using plans and processes. This is typically the kind of risk with detailed information and associated plans found in risk registers.

This early availability of management information is termed slow risk clock speed, as it is an ‘information rate’ issue being addressed. It means organizations have processing time on their side, discussion can occur, and plans may be implemented as a project. 

On the other hand, the management information for other risks can come in quick succession, at or close to real-time, and these are termed fast risk clock speed risks. 

Let’s understand this via some examples. 

A) Microsoft announces that it will retire support for Windows XXX version by year XXXX. As an information security professional, you pass on this risk to the management and they plan for this risk by procuring new licenses which would entail a cost of XX $. A slow simple risk that comes with a great processing time and the entire migration to a new Windows version can be treated as a project.

B)Your organization gets hit by a ransomware attack due a to zero-day vulnerability in software that you have deployed. This is real-time and you do not have the luxury of time and this cannot be treated as a long-term project.

These examples will help you understand the difference between slow risk clock speed and fast risk clock speed.

No degree of investigation or planning will make up for the real-time availability of the information. Fast risk clock speed risks such as that described above require a different management style and duly qualified experts must be on hand to assess and manage the risks by making critical decisions and using their expertise in real-time. Considering the rate of information availability (i.e. risk clock speed) is far more useful from a risk management perspective than just considering the velocity of the risk.

Horizon scanning is a technique that focuses on dealing with fast clock speed risks that helps you understand and be ready with a response even though you do not have the luxury of time. It helps you assess the landscape so that you are well prepared for such risks and have devised a strategy for dealing with fast clock speed risks.

Look Beyond

An important element of horizon scanning that sets it apart from normal risk assessment work is that it considers information that cannot normally be sourced from within the organization (i.e. from internal data sources and in-house management).

Seeking out information outside of your organization is vital: it may reveal that the industry you are in is moving in another direction and that you need to change the course for your business to survive. Therefore, when conducting a horizon-scanning exercise, it is vital to identify where to go to get information that cannot be sourced internally.

  • Threat Landscapes
  • Opportunities
  • Industry Leaders
  • Cutting Research
  • Customers
  • View from the ground floor
  • Technology perspective

While you may be performing horizon scanning in your organization in a different manner, it is imperative that you publish these results to the board on a timely basis.  A 2019 BSI Horizon scanning report lists cyber threats as the topmost risk faced by organizations and governments around the world. 

"Cyberattack tops the list of future challenges: The cyberattack was the fourth greatest disruption over the past twelve months but has now jumped to first place in the list of future threats. There were many high-profile attacks over the past twelve months on companies that would be expected to thwart attacks, which have meant the issue is now becoming a crucial part of the boardroom agenda."

In Summary,

Horizon scanning leads to the early detection of emerging issues and weak signals and helps towards ensuring there is a rapid, systematic process of pattern recognition to understand positive and negative signs. The impact of change is often highly unpredictable, and the design of effective horizon scanning interventions is grounded in principles and foundations that assert the importance of mapping the landscape, monitoring change, using future techniques, and validating findings. However, this is not to be seen as a technical process; it is a mindset that helps people to think through options and risks they face. For horizon scanning to work well, it is essential to engage multiple stakeholders across disciplines and departments to think through and discuss disruptive change.

There will be events such as Covid that may/may not be predicted by such scanning techniques, however, it does help you gauge the risks over the horizon and devise strategies to prepare accordingly.

If you have been using this technique or a flavor of it, share your experiences in the comments section below. 

References: 

https://www.bsigroup.com/globalassets/localfiles/en-ca/Resources%20ca/Business%20Continuity/bci-horizon-scan-report-2019-ca.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/663181/Embargoed_National_Cyber_Science_and_Technology_Strategy_FINALpdf.pdf

https://ccdcoe.org/uploads/2020/12/Cyber-Threats-and-NATO-2030_Horizon-Scanning-and-Analysis.pdf

https://www.theirm.org/media/7423/horizon-scanning_final2-1.pdf

Comments

Post a Comment

You may also like to read...

Identification, Authentication, Authorization, and Accountability

By
Image
The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such. Identification Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity. From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information. Authentication So now you have entered you
Continue Reading...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

By
Image
Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization. These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, whi
Continue Reading...

How to Pass SSCP Exam in the First Attempt

By
Image
Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2 . When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.  Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP? You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are
Continue Reading...

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

By
Image
Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels? Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready
Continue Reading...

Cloud Computing - The Logical Model

By
Image
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.  The four layers are : Infrastructure: The core components of a computing system: compute, network, and storage.The foundation that everything else is built on. The moving parts. Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration. Infostructure: The data and information. Content in a database, file storage, etc. Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. The security at different levels is mapped to the different layers. The application security is managed at the applistructure layer while the data sec
Continue Reading...