Traditional forecasting predicts the future based on past historical information, has a short-term perspective, uses experts, is fact based, uses a theoretical model to predict the future, and does not factor in risks and uncertainties.  Forecasting plans for one future (Mortlock, 2021).  An excellent example of traditional forecasting is weather forecasting (Weather Underground, 2022).  Weather forecasting uses past data to make short term forecasts.  Based on past history and the radar returns on the clouds in the storm front approaching Stafford, a severe thunderstorm is predicted.  It is fact based, uses experts, and is short-term.  There is little or no uncertainty; the storm will hit soon.  Another example would be forecasting a developer’s expense rate.  If I have a software developer who is building a project using ten people, their monthly expense rate is known and generally static (with some fluctuations for holidays and leave).  I can forecast what the next three month’s expenditures are based on the previous year’s expenditures.  My forecast would be relatively accurate, unless something out of the ordinary occurs.

Scenario planning is a thinking process to plan for potential futures based on risks and uncertainties.  In other words, planning for multiple futures.  Scenario planning has a long-term perspective, has many assumptions, is based on relationships and causality, and considers risks and uncertainties (Mortlock, 2021).  With my employer, we tend to think of two futures; most-likely case and worst case.  From a cybersecurity perspective, one of the worst problems for an organization is the risk of an insider threat (Zimmer et al., 2021).  We cannot forecast with any certainty which organizations will have an insider threat, but we can create a scenario where an insider threat has occurred.  Similarly, we cannot know what computer networks have been compromised by either an insider threat or an Advanced Persistent Threat (APT), but we can create scenarios where those compromises have occurred (NSA, 2014).  And, if the scenario is likely, we can create architectures assuming the threat is inside and present (NSA, 2021).

For forecasting, I think short term and knowable, such as weather or expenses.  For scenario planning, I look at worst case and likely case, with guesses and estimates.  Using my cybersecurity example, my worst case is that I have an insider threat and an APT on my network, working with each other.  My most likely case is that I have an APT on my network.  My mitigation is to use a zero-trust architecture, and to use the recommended strategies for ensuring employees do not become insider threats.  In this way, I am attempting to mitigate my worst case and most likely case scenarios.

 

References

 

Mortlock, L. (2021). Scenario Planning vs. Forecasting: 6 Questions to Ask to Prepare for a Post-Pandemic Future. https://www.leadershipnow.com/leadingblog/2021/05/scenario_planning_vs_forecasti.html

 

NSA. (2014). Operating on a Compromised Network. https://media.defense.gov/2020/Jul/09/2002451274/-1/-1/0/OPERATING%20ON%20A%20COMPROMISED%20NETWORK%20-%20COPY.PDF

 

NSA. (2021). Embracing a Zero Trust Security Model. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF

 

Weather Underground. (2022). Stafford, VA Severe Weather Alert. https://www.wunderground.com/severe/us/va/stafford/KVAAQUIA2

 

Zimmer, E., Burkert, C., & Federrath, H. (2021). Insiders dissected: New foundations and a systematisation of the research on insiders. Digital Threats: Research and Practice (DTRAP), 3(1), 1-35. https://doi.org/10.1145/3473674