Documentation - Scenarios
A major incident is often not the result of a single vulnerability, but a series of incidents. For example, the hack in the port of Rotterdam started with downloading a software update infected with malware, because the supplier had been hacked. Via an international internal network (network segmentation and internal firewalls were missing), the malware was able to reach the systems in the port of Rotterdam and actually infect it due to the lack of security updates.
In this step, think about how multiple threats combined together can lead to a major incident. Such a scenario may feel somewhat Hollywood-esque, but so were the descriptions of the Diginotar hack and the attack on the port of Rotterdam beforehand. A scenario is not about whether it is probable, but whether it is technically possible.
The threat assessment documentation recommends including low-risk threats. These are possible stepping stones to a major incident. So, also think about these risks to determine whether they can become part of a scenario.
By devising one or more scenarios based on the specific threats identified, the seriousness of the individual threats and vulnerabilities can be made more understandable. This makes it easier to draw attention to the necessity of the mitigating measures and the investments that may be necessary for this.