You probably hear the news about a passenger was physically dragged off an United flight on Sunday April 9th after no one volunteered to get off the overbooked airplane.

This incident started with the United Airline overloaded a flight from Chicago to Lousiville. So, they had to ask for volunteers to take a later plane. Because no one wanted to do so, the airline randomly selected 4 passengers. While one chosen passenger refused to leave, the security officers wrestled the man out of the seat and dragged him down the aisle.

Very soon, stunning videos captured from the scene and emotional comments were flooding social media sites. United Airline CEO apologized for the overbooking and the incident on Monday. However, people from everywhere are still condemning the airline. As a result, the company lost about $1 billion worth of the market value on Tuesday.

So, as someone in the Cybersecurity field, what can you learn from this breaking news?

Lesson #1 – Never underestimate the impact of a security incident

$1 billion sounds like a huge amount, however, it would be trivial comparing with the damage to the company branding and the customer trust in the long run. We have seen many these cases in the Cybersecurity field. Companies like Yahoo, Home Depot, and Target lost so much due to a single security breach, and they are still paying for it today. For small and medium sized organizations, the consequence of an improperly handled incident could wipe off years of profits and even knock down the business. With the wide use of mobile phones and social medias, any negative news could be quickly amplified to the whole world and could cause a huge PR disaster.

Lesson #2 – Get prepared for possible scenarios

When is the best time to handle an incident? The right answer is: “before it happens”! The overbookings seem like a common practice to many airlines. I am not intent to argue whether this practice is right or wrong. But because it is something they all decide to do, they’d better prepare for those negative scenarios including the one happened to the United Airline – what if a selected passenger refuses to give up his/her seat? Although it could be a complicated case, the airline should have sufficient time to design the process properly beforehand.  Hauling and dragging a passenger off the plane is something questionable by most of people especially combining other two factors: the airline overbooked the flight first; the vacant seats were for airline employees.

Lesson #3 – Follow a right incident handling process

Regardless how well you are prepared, things happen! Just like there is no 100% security. Sooner or later, a company would get hacked. So, the most important thing in Cybersecurity is called “Cyber Resilience”. In other words, how do you follow a right incident handling process to quickly contain the damage and put the business back to normal.  The good news is: you do not need to reinvent the wheel. Some industry leading organizations have already provided sound frameworks based on years of practice and research. For example, the  NIST SP 800-61 – Computer Security Incident Handling Guide provided by the National Institute of Standard and Technology, it suggests a 4-stage incident response life cycle including: Preparation, Detection & Analysis, Containment & Eradication & Recovery, Post-Incident Activities. Adopting and practicing a right incident handling process on the regular basis will significantly lower business risks.

I am not sure how the United Airline will eventually recover from this incident. But hopefully this $1 billion worth of a lesson will remind you to look into your incident response process before it is too late.


Bryan Li is the managing director at Cybersecurity Project. He is available to discuss your cybersecurity  awareness, training, and consulting needs. Please email