Time to Shift Our Focus: From Inward-Looking Risk Assessments to a Comprehensive, Ecosystem-Wide Approach

Technology has transformed our world in unprecedented ways. It has accelerated globalization, fostered innovation, and created new economic opportunities. However, it has also introduced complex risks that can disrupt socio-economic stability. Our interconnected technological ecosystem has become both a strength and a vulnerability. The recent Crowdstrike incident on July 19, 2024, is a stark reminder of this duality. A faulty software update from Crowdstrike's Falcon agent caused widespread disruptions, impacting individual systems and the entire world. This article explores the incident and its far-reaching implications. It highlights the importance of considering extended socio-economic impacts as a crucial factor in risk analysis and quantification. Risk management frameworks should not be just inward-facing but must include outward-facing factors such as socio-economic impacts. At OPTIMAS.AI Inc research labs, our thought leadership has already pioneered the Business Technology Exposure and Resilience (BTER) framework, incorporating these broader considerations. This approach will soon be open-sourced to help organizations adopt inward and outward-facing risk management strategies.

What Happened?

The Crowdstrike incident on July 19, 2024, involved a faulty software update to the Falcon agent, causing Windows systems to crash with Blue Screen of Death (BSOD) errors. Systems primarily experienced crashes and became unbootable without manual intervention. This incident affected services across various sectors, including airlines, banks, and healthcare systems, causing significant operational downtime and widespread inconvenience. The ripple effects were felt globally, highlighting the fragility of our interconnected technology infrastructure.

Why It Matters?

Traditional cyber risk quantification often focuses on the direct impact on the affected organizations. Whether it’s Crowdstrike, Microsoft, or their customers, the approach remains largely inward-looking. Each entity assesses the cyber risk from its own perspective without fully accounting for the broader implications. This incident, however, underscores the importance of understanding the interdependence within our technological ecosystem. The interconnected nature of these systems means that a single point of failure can have wide-ranging socio-economic impacts. Therefore, it is crucial to incorporate socio-economic factors into risk analysis models to fully grasp and mitigate these broader implications.

Real Case Study

On July 19, 2024, a senior executive of OPTIMAS.AI Inc personally experienced the chaos caused by this incident. Needing to travel from Los Angeles to Raleigh-Durham, what should have been a 4-hour flight turned into a 72-hour ordeal involving multiple flight cancellations, over 36 hours of wait time across various airports, untraceable baggage, and significant trauma, stress, and fatigue. In total, our executive lost 3 productive days.

According to public records, a leading US airline cancelled 4000 flights. With an average passenger load factor of 84% and 200 seats per flight, approximately 672,000 passengers were affected. Assuming each passenger lost an average of 2.4 days, this incident resulted in a total of 1,612,800 lost days, which translates to 38,707,200 lost hours. This widespread disruption had severe personal and professional impacts, causing missed personal commitments like educational, academic, and sporting events, as well as business commitments.

This real-life example highlights the extensive socio-economic repercussions of such incidents, affecting not just individuals but also businesses and services connected to the affected sectors.

The Broader Implications

The Crowdstrike incident is a stark reminder of the broader implications of cyber incidents. The disruption affected airlines, which in turn impacted car rental companies, insurance providers, logistics, healthcare, and hospitality sectors. The ripple effects extended far beyond the immediate technical issues, causing significant socio-economic repercussions.

For example, the increased demand for car rentals due to flight cancellations benefited car rental companies but also led to shortages and increased prices. Hotels and other hospitality services experienced sudden spikes in demand, resulting in overbookings and inflated rates. Conversely, the inability to fulfill logistics demands for essential supplies like medicine and food had severe socio-economic consequences. This interconnectedness means that an incident in one sector can have a domino effect, impacting numerous other industries and ultimately society at large.

Socio-Economic Losses Faced by Airlines

This incident has had significant socio-economic losses for various airlines globally including the likes of Delta Airlines ,American Airlines, and many more:

1. Operational Disruptions: Managing crew, ground staff, rescheduling flights, and baggage handling became logistical challenges.
2. Financial Losses: Grounding flights, rebooking tickets, and compensating for cancellations and eligible expenses led to substantial financial setbacks.
3. Customer Trust and Reputation: The incident damaged customer trust and negatively impacted the brand’s reputation.
4. Technology Dependency: The lack of a robust disaster recovery plan and extensive dependency on a single vendor or technology were highlighted.?

The BTER Framework

At OPTIMAS.AI Inc , this incident has reinforced our pioneering approach to including socio-economic factors in risk analysis. The Business Technology Exposure and Resilience (BTER) framework already incorporates socio-economic risk quantification. This approach goes beyond assessing risks from an organizational perspective and considers the impact on the entire ecosystem, including societal and economic factors.

The BTER framework aims to provide a comprehensive understanding of the true business impact of technology-related incidents. By considering the broader socio-economic effects, organizations can develop more robust strategies to mitigate risks and enhance resilience. Read more on the BTER framework: ?https://www.dhirubhai.net/pulse/introducing-bter-revolutionary-framework-business-rjzsf/?trackingId=QDKhcCy686aMhvEwa5gzOA%3D%3D

Business Impact Analysis

Organizations need to adopt a holistic approach to business impact analysis, focusing not only on the direct effects on the company or its immediate customers but also on the broader socio-economic repercussions. The BTER framework emphasizes understanding the true business impact across the entire ecosystem, including the cascading effects on various industries and communities.

For instance, the loss incurred by some american airlines due to the Crowdstrike incident is not just an internal risk for the airlines but a broader socio-economic risk affecting passengers, connecting flights, car rentals, and more. By adopting this comprehensive approach, organizations can better prepare for and mitigate the far-reaching impacts of technology-related incidents.

Conclusion

The Crowdstrike incident has provided valuable lessons in the importance of a comprehensive risk management strategy. Socio-economic factors must be included as part of any organization’s risk framework to fully understand and mitigate the impacts of incidents. It’s time to shift our focus from inward-looking risk assessments to a broader, ecosystem-wide perspective.