Murphy’s Law’s application to cyber resilience

We've all heard of Murphy's Law, the adage that, "If anything can go wrong, it will", and although similar statements have been made throughout history, the "law" as we know it was actually coined by a real person - a US aerospace engineer named Edward A. Murphy Jr. He was an R&D officer in the United States Air Force at Wright Patterson Air Force Base in the late 1940s, involved in high-speed rocket sled experiments. Murphy regarded the "law" as encapsulating a key principle of "defensive design", in which one should always assume worst-case scenarios.

Murphy's Law has remained a popular (and occasionally misused) adage, but in a very real way it has some relevance to resilience, although to be fair it's almost become a meme over many years. That "defensive design" posture will very much depend on your organisation's risk appetite, the environment within which it operates, and its day-to-day operations, but we can still usefully refer to Murphy's Law and its variations when we're building resilience… even if it's in a light-hearted way.

In this blog we will look at some of the scenarios where Murphy's Laws can be applied to cyber resilience, so you can keep your business running smoothly on every occasion.

Murphy's First Law: If something can go wrong, it will.

Business continuity (BC) is a foundational component of organisational resilience, and to develop effective BC capabilities and plans, it's vital to have a detailed understanding of the priorities for BC - what needs to be recovered, how quickly, and why?

How is this done? Well, by analysing the internal and external business criticalities and the consequences of disruption to key business assets and their dependent products or services. This gives us an understanding of what REALLY matters to a business in the aftermath of an incident. That is, of course, the purpose of a Business Impact Analysis: a BIA - and it provides essential information that helps form the foundation upon which BC planning can be developed.

All too often though, Murphy's First Law is ignored during BIAs. Time and again we see unfounded assumptions being made - "Oh, that'll never happen!", or "We've got that covered". Yet experience informs us that - if something can go wrong, it will - and planning for the worst-case scenario means you'll be able to more easily deal with an incident that's not so serious. So, the one and only assumption you should be making in a BIA when considering the consequences of a disruption is that Murphy's First Law is alive and well.

But when conducting a BIA there are some broad things you should think about:

• Avoid being distracted by what's been happening in the daily news cycle - sometimes you find yourself (and your colleagues) being drawn down rabbit holes into worrying about sensationalist headline news.
• Understand how your organisation perceives risk - how do risks and opportunities present themselves to your business? Is yours a business that is deeply risk averse or does it have a less cautious risk appetite? Does this differ across the business either by geography or function?
• You won't be able to predict or prevent every potential disruption, so concentrate on the worst outcomes as far as your products and/or services are concerned, and how this will impact:
  - Finances
  - Your reputation or brand
  - Colleagues
  - Customers
  - Regulatory or legal obligations
  - Key partners

And remember that a BIA is not a one-off exercise, it's something that needs to be repeated on a regular basis: as the business environment changes; as new technologies are developed and deployed; as your business evolves.

Redcentric's Resilience Consulting team have helped organisations large and small, private and public sector, profit and non-profit, with their BIAs and then helped them define their resilience requirements and how to develop and build that resilience.

Remember… hope for the best, plan for the worst.