1

Cybersecurity: Contingency and Business Continuity Planning

Oluwatobi E. Lowen

Department of Information Technology, University of the Cumberlands

ITS 834: Emerging Threats & Countermeasures

Dr. Irvin Heard

May 14, 2024

Cybersecurity: Contingency and Business Continuity Planning

The business world thrives on its ability to adapt and evolve in the face of

unforeseen challenges. Disruptions, whether natural disasters, cyberattacks, or

economic downturns, can significantly impact operational efficiency and financial

stability. Contingency planning and business continuity planning (BCP) emerge as

potent instruments in addressing this vulnerability. Contingency planning focuses on

developing backup strategies for specific, well-defined events that might disrupt normal

operations. Conversely, BCP encompasses a broader framework, outlining

comprehensive recovery plans to restore business functionality after a major disruption.

The two approaches mentioned above have a common foundation: scenario

planning. This research paper explores the importance of scenario planning, a key

element of contingency planning and BCP. It explores some of the many benefits of

scenario planning, the questions to consider when implementing scenario planning, and

some common types of scenario planning. This paper emphasizes the relevance of

scenario planning in ensuring uninterrupted business activities in the face of disruptive

challenges like security breaches and hacker threats.

Benefits of Scenario Planning

There are many benefits of contingency planning and BCP to business

organizations. Mızrak (2023) highlighted risk mitigation, improved decision-making,

efficient use of resources, stakeholder trust, and innovation initiatives as some of the

benefits of prioritizing cybersecurity risk management in an organization.

 Enhanced Risk Mitigation: When all forms of disruptive scenarios are identified,

organizations can effectively develop plans and strategies to mitigate the

challenges. This, in turn, reduces the chances of disruption to business

operations or potential business shutdown.

 Improved Decision-Making: The consideration all possible vulnerabilities

naturally puts the management of a company in the position to proactively

consider all sorts of solutions and settle for the best strategies that perfectly align

with their business objectives and the organization’s culture. Organizations can

simulate all these catastrophic events in a controlled environment, collect data on

the consequences of each event, and make data-driven choices based on the

insights gathered.

 Resource Optimization: Another benefit of anticipating all possible scenarios is

that it gives the organization the chance to try out possible solutions in a

simulated environment. This way, the company can figure out the most efficient

and cost-effective solutions. Resources can therefore be better planned for and

utilized in the most efficient and optimal way. Also, the organization will ensure

the availability of all required resources for such unwanted scenarios.

 Increased Stakeholder Confidence: A solid contingency and BCP strategy can

boost confidence among stakeholders, including investors, employees, and

customers. Organizations can present their risk management strategies to

assure their stakeholders of their readiness to combat any threat to their

business operations or business growth.

 Enhanced Innovation: In the process of figuring out effective and optimal

solutions in a simulated threat environment, there is room for creativity and

innovation. Different ideas are considered which can lead to identification of new
4

business opportunities. As markets evolve in the face of rapidly advancing

security threats, scenario planning can potentially lead to the development and

launch of new and improved products.

Questions to Consider When Implementing Scenario Planning

While scenario planning offers numerous benefits, its successful implementation

rests on the careful consideration of some important questions:

 What Are The Most Likely Disruptions?: The first step usually is to identify the

most common types of disruptive events for an organization’s business

operations. This step involves the consideration of all the past scenarios in the

company and other companies with similar business operations, as well as inputs

from experts to figure out the most likely events that could be detrimental to the

company and its brand.

 What Resources are Critical?: It is also important to itemize all the important

company resources that will be needed combat threats and to maintain smooth

business operations. This allows the company to makes adequate provisions for

the resources, even if they are not needed for the regular day to day business

operations.

 What is the Acceptable Downtime?: It is almost impossible to achieve a

hundred percent resistance against all threats, but when disruptions happen,

there must be a strategy to end it. One of the key components of the strategy is

to determine how much downtime can be tolerated so that things don’t get out of

hand.
5

 What Communication Strategies are Needed?: Effective communication is

very important during disruptive events. In scenario planning, we need to

consider how and to whom critical information should be communicated. While

there is a need for fast dissemination of information, there is also a need for

controlled dissemination of information so as not to cause panic and public

distrust.

 How Will We Test and Revise Our Plans?: As mentioned earlier, the nature

and method of disruptive events are constantly evolving, so there will never be a

permanent strategy to address current and future events. There is a need for

constant revisiting of the established procedures to address new and emerging

threats. As business also grows, there will be a need to address the new

dynamics of the business in their contingency plans. Therefore, there should be a

laid down policy on how often tests and revisions should be made.

Common Types of Scenario Planning

There are so many proven methods for conducting scenario planning, each with its

own unique advantages:

 Trend-Based Scenarios: This approach considers current trends and events to

anticipate future events. It generally uses historical data to predict all possible

future occurences.

 Wild Card Scenarios: This method focuses on unlikely events whsich may be

called outliers, or the "black swan" events as some would have it. Kanungo

(2020) describes these events as less probable but can have devastating

consequences if not considered. It is in the company’s interest to explore all

these outliers to avoid being caught in an event that they were never prepared

for.

 Good News/Bad News Scenarios: This approach explores both positive and

negative possibilities. Best-case and worst-case scenarios consider the severity

of events from the two ends, and the organization can rightly proffer solutions

that is tailored to the exact nature of the disruption.

 Ladder Scenarios: This methodology involves considering and planning for

different degrees of severity for each possible event, not just the best and worst

case. This makes an organization plan more elaborately since all possible levels

of severity must be planned for.

Conclusion

Contingency planning and BCP empower organizations to navigate the

complexities of the modern business environment. Scenario planning lies at the heart of

these processes, equipping organizations to anticipate disruptions, mitigate risks, and

ensure business continuity. By strategically considering potential scenarios,

organizations can make informed decisions, optimize resource allocation, and enhance

stakeholder confidence. As the business landscape continues to evolve, the ability to

anticipate and adapt to change will remain a critical differentiator. By harnessing the

power of scenario planning, organizations can cultivate resilience and pave the way for

long-term success.
7

References

Kanungo, J. (2020). Organisational Preparedness for the Unforeseen: A Review of a

Black Swan Event. ASBM Journal of Management, 13.

Mızrak, F. (2023). Integrating cybersecurity risk management into strategic

management: a comprehensive literature review. Research Journal of Business

and Management, 10(3), 98-108.