Planning for Resiliency: A Lesson Learned from the Facebook Scandal

When crisis unfolds, it is not the event itself that counts. It is the response.

And while the strength of Facebook’s response to the recent Cambridge Analytica scandal has been disputed around the world across conference rooms and dining rooms alike, one thing remains irrefutable- there are no signs that Facebook’s profitability was hit by the scandal that exposed the misuse of up to 87 million users’ personal data.

Facebook reported an increase in both profits and users last week, as Facebook Inc. shares subsequently rose.


“Facebook…..has demonstrated for several quarters how resilient its business model can be as long as users keep coming back to scroll through its News Feed and watch its videos” wrote Reuters journalists David Ingram and Munsif Vengattil in an article commenting on Facebook’s resiliency in the face of major scandal.

So how has Facebook managed to avoid succumbing to this major crisis?

First of all- they’re spending to be sure their users aren’t scared away by scandal. Facebook CFO David Wehner explained that expenses would increase between 50 percent and 60 percent this year, which marks an increase in prior range from 45 to 60 percent. This increase in spending is for users’ safety and security, according to Wehner, and will endow efforts to eliminate fake accounts, eliminate hate speech and remove violent videos.

Another reason why Facebook has fared so well in light of such precarious circumstances is its crisis communications. Though met with a fair amount of discord, Facebook’s public response to the scandal (led by CEO Mark Zuckerberg) has been perceived as mostly honest and transparent.

“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Zuckerberg said in a statement on his Facebook page after news of Cambridge Analytica’s misuse of users’ data began making headlines around the world.

Public discourse shifted favorably towards Zuckerberg after he issued an explicit apology in an interview with CNN: “This is a major breach of trust, and I’m really sorry that this happened”. Oftentimes, the ability to rebuild trust amongst customers is rooted in something as simple as an admission of fault.

When a company is unprepared to handle crisis, even a small predicament can damage that company’s profits, operability and reputation. Yet a company that prepares itself ahead of crisis may have the ability to leverage undesirable events to work in its favor. Instead of frantically reacting to deteriorating circumstances, organizations that are sufficiently prepared will be able to offer timely and appropriate crisis communication to the public and to stakeholders while implementing their pre-designed operational response.

Although it is impossible to plan for everything, organizations can and should plan for crises that are associated with their business’s main functions. To this end- when crisis unfolds- these organizations will be poised to operate proactively in a manner in which they can truly counter undesirable outcomes, as opposed to merely scrambling in attempt to keep things afloat.

What would you do if you were an elected official in the midst of a cyber-attack? -*When Cyber Criminals Target Our Cities*

Co Authored by Chelsea Zfaz and Dr. Moty Cristal

Early morning on March 22, technical issues began interfering with the normal functioning of the City of Atlanta’s computer systems. It quickly came to light that a number of these systems had fallen victim to a ransomware attack. The entry point for the attack was a vulnerable server, which enabled the ransomware to spread to desktop computers throughout the network. The attackers demanded 6 Bitcoins (about 51,000 USD) to decrypt the city’s data.

The City of Atlanta remains crippled a week after the attack, as municipal court proceedings continue to be postponed and police officers and other employees resort to writing reports by hand. Yet government officials and civilians alike should be considered fortunate in that Thursday’s attack did not target more critical services- such as traffic light control systems or the power grid- creating a situation that would undoubtedly have more egregious consequences.

By their very nature as public service providers and guardians, municipalities hold a particularly high level of responsibility to guarantee the security of their constituents’ private information. These organizations are put in an especially precarious position when their systems become compromised. The situation becomes outright desperate when data is encrypted, especially when such encryption threatens citizens’ private information or the functioning of vital municipal services.

  • What would you do if you were an elected official in the midst of a cyber-attack? 

  • Would you pay a ransom to guarantee the safe return of your city’s data?
  • Would you pay a ransom if the funds were sourced from constituents’ tax dollars?
  • Would you need citizens’ approval for such a decision?
  • Would you trust the perpetrators enough to be convinced that paying the ransom would in fact return access to your data?
  • What would you expect the consequences of not paying to be?

According to the Verizon 2017 Data Breach Investigations Report, public sector entities were the third most prevalent breach victims worldwide in 2017 (last year, 12% of all cyber breaches targeted the public sector)[1]. How can all levels and scopes of government ensure they remain ahead of virtual criminal activity that is continuously evolving?

At the Muni Expo in Tel Aviv last month, Ivor Terret, Director of Be-Strategic Solutions, an Israel-based crisis management firm, presented a case study in which a municipality exercised its cyber-attack preparedness and response capacities. The municipality clarified the processes, personnel and equipment it had in place that constructively contributed to effective identification of cyber threat indicators, mitigation of cyber risks and recovery from a cyber-attack. The exercise exposed weaknesses in municipal procedures for risk and threat identification and enabled the municipality to institute practical improvements to established protocol.

The recent breach of Atlanta’s computer systems raises the question of whether municipalities in America are doing enough to protect their constituents’ private information. And while efforts indisputably vary from city to city, one thing remains clear- the more proactive the municipal approach to cyber protections, the more secure the city will remain.

[1] 2017 Data Breach Investigations Report, pg3

Observations on Disaster Preparedness

by Chelsea Zfaz

In 2015, I was recruited to manage a team of humanitarian professionals sent to Myanmar to support the response to massive flooding that inundated a majority of the country. Equipped with an incredible team of water engineers, psychologists and social workers, we set out to the farthest reaches of the country to ensure that even the most remote, isolated communities received access to the emergency relief aid that they so gravely needed.

During my time in the country, I had the great opportunity of working with people and organizations from diverse walks of life, which offered a fascinating window into the IsraAID_Burma_EliseAPAP_013 (002)cultural complexities of a country that, though on the brink of major change, remained rooted in tradition. I worked with tribal leaders from Ayeyarwady, teachers from Magwey, social workers from Myitkyina, NGO leaders from Yangon, pastors from Kale, monks from Sagaing and Internally Displaced Persons Camp managers from Hakah.


There are over 135 different ethnic groups in Myanmar speaking over 100 different languages. In such a sundry country, whose politicians, policies and practices often seem to leverage divisiveness as a tool to achieve various objectives, finding common trends amongst the people I worked with seemed improbable.  Yet, after a couple of months on the ground, I managed to see a through line that once acknowledged, could not be ignored. This trend crossed cultures, religions, socioeconomic statuses and vocations. From aid workers to government officials, from tribal chiefs to law enforcement, from spiritual leaders to entrepreneurs- I learned that people were rarely as prepared for disasters as they thought they were.

I was intrigued by this observation and was enthusiastic about evaluating its prevalence in Fiji, where I would land on my next deployment. I was sent to Fiji in the early Spring of 2016 to support recovery efforts after a category 5 cyclone devastated much of the country. An archipelago of more than 300 islands located in the South Pacific, Fiji has been experiencing increasingly destructive hurricane seasons in recent years and is no stranger to devastating storms. Yet Cyclone Winston, which made landfall in February of 2016, was the most intense cyclone ever recorded in the world’s Southern Hemisphere.

Here again I experienced this sociological tendency in which communities, businesses and government agencies had a certain level of disaster preparedness that had been assumed to be sufficient but had been proven to be inadequate. And again, my experiences showed me that people- regardless of age, gender, ethnicity, religion, social standing, or occupation– are rarely as prepared for disasters as they think, feel or assume.

This trend was so prevalent that upon return to Israel from Fiji, I pivoted my focus to strategic disaster preparedness.

Raising an organization’s level of disaster preparedness is not a simple task, especially when considering that preparedness is determined by a number of policies and practices, many of which rely on action from external actors. The reality is that all capacity-building endeavors involve close collaboration between multiple agencies. Whether you’re working in emergency preparedness or response, or humanitarian aid or development- How do you ensure that all actors (including those who are contracted) cooperate consistently and operate uniformly, and that operations are not only as effective and efficient as possible but are also aligned according to equal standards? Achieving these objectives is possible only through critical analysis of both people and processes and informed assessment of the quality of their dynamic in managing various challenging scenarios.

As someone who has spent innumerable hours reacting to the changing conditions of disaster relief, I see great opportunity in shifting the paradigm from a reactionary approach to a proactive approach in order to refine the quality and efficiency of humanitarian service provision.

Such a shift cannot happen overnight. But I do believe that raising awareness of the importance of preparedness in the collective mind of civil society is a necessary step in reducing the extent of human suffering in the world.

Smart Cities Under Attack – Simulation Case Study

What happens when a city’s critical infrastructure is targeted by cyber criminals? Are there mechanisms in place to ensure operational continuity of the vast network of municipal services? Could traffic be disrupted? Sensitive citizen information leaked?

We are thrilled to be presenting one of our latest Crisis Management Simulations at the MuniExpo in Tel Aviv next week, during which we will be exploring a Smart City’s identification, mitigation and recovery from a cyber-attack.


Mr. Ivor Terret will be presenting at 15:20 in his usual engaging manner the full course of a cyber-attack as was carried out by BeST.

The Emergency Alert System Dilemma: How can authorities leverage technological advancements to aid (and not diminish) strategic disaster risk reduction endeavors?

People across the globe have come to rely heavily on technology, which has proven to be an exceedingly effective tool for wireless emergency alert systems. Wireless emergency alert systems can take a number of forms, but primarily use cell tower and Internet pathways to notify the public on a variety of emergency situations by sending text alerts to mobile phones.

During the wildfire outbreak in California in December, 2017, authorities sent emergency alerts to over 22 million cellphones.

During Hurricane Irma in September 2017 and Hurricane Harvey in August 2017, emergency alerts informed millions of people on changes to the storms’ strengths and trajectories.

The efficacy of emergency alert systems is generally acknowledged yet not without scrutiny.

On Saturday, January 13, 2018, a false alert sent to cellphones across Hawaii sent hundreds of thousands of people into panic as they mistakenly received an alert that read “BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.” As it was, Hawaiians had already been on high emotional alert as a result of escalating tensions between the US and North Korea.

Officials stated that the alert was mistakenly sent as a result of human error, not the workings of hackers or a foreign government. Senator Brian Schats of Hawaii wrote on Twitter: “This system failed miserably and we need to start over”.

The strongest argument against emergency alert systems is their ability to create unwarranted panic in populations facing no threats. So, we pose the question to you- our readers- are emergency alert systems innovative advancements that can save lives? Are they invasive technological-overkill that generate false panic? Or do they fall somewhere in between? How can authorities leverage technological advancements to aid (and not diminish) strategic disaster risk reduction endeavors?

Can we reconcile realistic war-games with insightful facilitation?

Written by Chelsea Zfaz and Dr. Carmit Rapaport
The Methodology of War-games

Contemporary approaches to war-games and tabletop exercises offer a process-focused Good Better Best Dice Representing Ratingsreview of an organization or company’s crisis response capacity. A proven method to enhance a team’s ability to manage a crisis, war-gaming challenges personnel to communicate and collaborate during various simulated scenarios in order to reveal the people and processes that elicit the actual resolution of the crisis.

The pervasive challenge of designing and facilitating effective war-games is simulating realistic scenarios that the participants actually learn to manage while identifying and reporting insights about how and why people think and act the way they do.

The Dilemma

In order to understand the thought-processes and behaviors of participants, simulations are often paused to open space for reflective discussion. Yet this freezing of the crisis management simulation is by no means a realistic step in the management process, it actually directly detracts from the realism of the simulation.

So how can we, as war-game developers, extract insights during war-games that don’t damage the genuine process of crisis management simulations? How can we ensure that the value of the lessons learned while stopping the simulation justifies the cost of the interference?

Is there an Ideal Solution?

In our experience, opening space for exploring the motives of participants lends incredible understanding to outcomes of simulations. A question as simple as “why did you decide to do x/y/z?” can provoke explanations that not only shed light on the causative factors behind people’s reasoning and decision-making but also on the perceptions that players have of themselves and their roles in the larger context of the management scheme. Such reflection on tacit personal and group cognitive processes allows for a better understanding of the entire organizational workflow, and helps in the identification of fundamental gaps in crisis management.

Yet the fact remains that pausing a simulation, even in the name of the most formative discussion, does not reflect what its actually like to deal with crises in reality.

BeST has developed a way to circumvent this dilemma. We’ve created a questionnaire template that players in simulations can use to design inquiries to elicit specific information from other players. Players can ask anything imaginable of other players, and can include as many answer options as desired (open answers present challenges for analysis and therefore are not currently included in the questionnaires).

While these questionnaires do not offer the same level of open discussion as an actual mediated conversation could provide, they’re significantly less intrusive than the alternative. Though facilitating the active questioning of players by players has proven to extract information effectively and non-intrusively, there exists no better method of understanding how and why people think and act the way they do than through open communication. Furthermore, this information can serve as a valuable dataset for further fine-tuning of the crisis management process as well as for other organizational inquiries relating to the daily operational functioning.

So we pose the question to you- how can we, as war-gamers, optimize the extraction of insights while maintaining the realism of our simulations?

From Katrina to Irma and everything in between…

by Chelsea Zfaz

The response to Hurricane Harvey in Texas presents a unique opportunity to evaluate the quality and scope of government and non-government organizations’ emergency preparedness and response capacity.

The United States in general (and Texas in particular) are accustomed to large-scale natural disasters. There is a widespread understanding across the US that emergency preparedness is critical to both the continuity and the efficacy of government agencies, law enforcement agencies, municipalities, medical systems and aid groups alike.

Lessons learned from the response to Hurricane Katrina in 2005 undoubtedly bolstered emergency preparedness efforts for relevant actors vis-à-vis Hurricane Harvey, yet the extent of those lessons and their ability to be translated into a more effectual response have yet to elucidate. 

War-games and tabletop exercises have become the normative mechanisms for increasing emergency preparedness, coordination and response capacities. When discussing their preparation work for post-Katrina disasters, many healthcare workers and emergency responders cited coordination training exercises as primary mechanisms for increasing preparedness within their organizations.

In an interview with the New York Times on preparing for Hurricane Harvey, Darrell Pile, chief executive of the Southeast Texas Regional Advisory Council (which established a catastrophic medical operations center in Houston’s emergency command center), explained that a large association of medical providers had trained and planned regularly for catastrophes, “but honestly, not at this epic level”, he disclosed.

The Texas Medical Center, drawing on tough lessons learned after Hurricane Allison flooded its facilities and forced emergency patient evacuations in 2001, locked its newly-installed submarine doors when Hurricane Harvey made landfall, effectively preventing flooding and protecting every one of its patients.

The Texas Medical Center’s preparedness paid-off for its patients, yet it’s eight helicopters could not land at the center due to high winds. William McKeon, the center’s president and chief executive, explained “I’ve never heard so few sirens as I have in the last few days, which is upsetting. We can be dry and open but if you can’t deliver patients to the medical center, that’s our biggest concern.”

An organization can enjoy the highest level of disaster preparedness possible, yet if it’s partner organizations, delivery services or surrounding environments are lacking readiness to respond, they too shall experience the throes of being unprepared.

Emergency drills and coordination trainings are critical steps in preparing for disasters, yet it is sorely insufficient to claim ‘preparedness’ for a disaster after a single training exercise. The pervasive challenge remains translating lessons learned from trainings and past experiences into enhanced operational procedures and coordination.

Ben Taub Hospital
August 27, 2017: Flood waters inundate Houston’s Ben Taub Hospital, a major trauma center in the Texas Medical Center campus, which had spent billions of dollars on flood protections after Hurricane Allison in 2001.

Powered by

Up ↑