Determine the Real Impact of a Security Breach Using the “So What?” Technique

Back in 2010, during my university days in Istanbul, I had an English teacher who was an ex-US military officer. His classes were not just about grammar and vocabulary. They were a blend of English lessons, life in general, US politics, and some tales from his military days. One specific lesson stands out in my memory, where he introduced us to two useful analytical techniques: the “Five Whys” and the “So What?” methods.

The “Five Whys” is a well-known problem-solving approach used to identify the root cause of an issue. It involves asking “why?” repeatedly until you reach the core of the problem. For example:

1. Why isn’t the website loading?
— The server’s RAM is exceeded.
2. Why is the RAM exceeded?
— We’re experiencing an abnormal traffic spike.
3. Why is there a traffic spike?
— Our marketing team has just released a new social media post.

It’s a good method. However, it was the “So What?” technique that captured my attention. According to my teacher, this method was used in the US military to assess the true impact of an event. This method involves asking “so what?” after each statement about an event to understand its main consequences. For example:

Event: Our military base has been attacked.

1. So what? Two soldiers are down.
2. So what? It will be covered in the media.
3. So what? Our strategy will be criticized by the media.
4. So what? It can impact votes in the upcoming election.
5. So what?

At this point, we’ve reached a potential main impact: influencing election results. While it might seem heartless and unethical to some (it actually is) It helps in reducing panic and focusing on the main impact.

Interestingly, I haven’t been able to find any documentation of this technique online and even ChatGPT seem unaware of it. This leaves me wondering if it was a genuine insider method or my teacher made this up? Regardless of its origin, I’ve found it valuable in both my personal life and cyber security career.

Using it in Cyber Security

In cybersecurity, the “So What?” technique is useful for assessing breach impacts. We often exaggerate the severity of security incidents and react with panic. However, the actual impact is usually not as significant as we perceive. Let’s look at the following scenario:

Event: We’ve been breached.

1. So what? Hackers stole 100k customer information.
2. So what? People will criticize us on Twitter and LinkedIn.
3. So what? Our stock prices can drop, and we have to pay a GDPR penalty.
4. So what? We will lose money.
5. So what? We might need to lay off some people to save money.
6. So what?

By continuing this process, we discover that the true impact might be layoffs, which, while unfortunate, might not be as catastrophic as initially thought.

Consider a more severe scenario:

Event: Hackers breached our database.

1. So what? They deleted all of our customer data.
2. So what? Our last backup was taken six months ago.
3. So what? We will lose 70% of our customers.
4. So what? Our company financially can’t recover from this.
5. So what? We have to sell the company.
6. So what? We will sell it for one-third of its actual value.
7. So what? Less money will come to our pockets.
8. So what?

This technique also helps maintain psychological resilience during difficult times. Understanding that the ultimate impact is earning less money rather than total ruin can be a protection against depression (or worse).