Crisis at Scale

Photo by Engin Akyurt on

BLUF – We already have moved to an understanding of crisis being part of our BAU, much like the tide it ebbs and flows with regularity. Constant crisis creates new tolerance thresholds whilst shifting perception away from incidents being of note or cause for alarm. No sirens are sounded, as the chorus would be indistinguishable.


After reading the recent ransomware task force’s report we get another incident to discuss – the Colonial Pipeline. While there are a variety of issues to choose from – the incident itself, attribution, transparency, impacts to the various stakeholders, economic effects, the list goes on – underlying is our understanding of crisis and how different vantages perceive it.

Look at the challenges found with different impact scales –

  • Direct – the individual or organisation is on the receiving end of an incident, requiring direct action. In cyber this would be SolarWinds or Colonial Pipeline. It’s being in blast radius or having something directly affected.
  • Indirect – a second order effect, the organisation is affected by the effects felt by the direct victim of the incident. These are the effects for everyone who has to check constantly regarding if SolarWinds had an impact on their systems, vendors, etc. It’s every bit upstream and downstream needing to adjust their operations from Colonial Pipeline.
  • Local – The organisation is close, knowing others directly/ indirectly affected. This still potentially feels as one is a part of the incident and may result in support efforts. The proximity (either physical or virtual) lends weight by allowing the effort’s impacts to be visible, and the knowledge that something is being done. It’s also more easily dismissed as being a trouble for others, as there is no first or second order impacts felt.
  • Regional – the difficulty in connecting to the incident increases, starting to depersonalise. The sense of other allows for more more perceived objectivity, less weight in empathy. Whilst familiarity is present, it’s a passing familiarity.
  • Global – connectivity aside, it is difficult for any incident to be truly global. Even with the pandemic occurring globally, the incidents of note gained attention on a local/regional level. For something to be truly global there is no other people’s troubles that are not shared, indirectly at the very least. Much as we talk about global crises, the effect felt globally is minor irritation interspersed with massive casualty events at local levels.

Response options are limited under these conditions as there isn’t time to clear the responses, much less learn from the last. In cyber, we have adopted a collective battening of the hatches. With neither time nor resources to examine what happened to others (we may log them for regulatory evidences and recordkeeping) the constant hum of dread desensitises both the individual and collective to crisis – not just a particular variety, but crisis as a whole.

Unless one finds an aspect to identify with, it’s much easier to tuck things to back of mind – at best depersonalising the event, at worst dehumanising those affected.

There are shifts required to make pre and post crisis actions effective. They may vary by scale of the crisis. Will continue next week.