Organisations should aim to set realistic criteria so a more accurate assessment of their ability to manage cyber security incidents efficiently can be conducted.
Organisations should avoid having the mentality that all pre-established criteria must be met to qualify the test or exercise as a success. Specific components of the CIR plan are more challenging to execute. Therefore, accomplishing all of a test or exercise criteria is implausible.
Additionally, during the testing and exercising phase, a simulated environment is created, entirely different from the environment experienced when facing an actual cyber security attack. Organisations should not get complacent just because the test results or exercises were fantastic. Still, when an actual cyber security incident occurs, they panic and fail to execute the appropriate procedures.
Here are some baselines which the success criteria can be developed from:
The percentage of the number of participants involved in the test or exercise should be at least 90%. One of the purposes of testing and exercising the CIR plan is to ensure that the employees can react and execute the appropriate documented procedures during a cyber security attack. If most employees do not participate in the test or exercise, they will be clueless about the appropriate measures, which might jeopardise the organisation, increasing the potential damages suffered.
During the test or exercise, the participants should resolve the scenarios. Familiarising the employees with the various cyber security incidents that can potentially attack their organisation and the appropriate procedures increases their ability to manage cyber security incidents efficiently.
If employees are disinterested and not fully engaged during the test or exercise, vulnerabilities may arise, generating platforms for cybercriminals to exploit. Wrong procedures can also be executed in the event of an actual cyber security attack.
Before the test or exercise was conducted, the CIR plan would have been disseminated to the participants. Employees who treat cyber security as a secondary priority will not bother reading through the plan document. During the test or exercise, they will be utterly oblivious regarding their roles and responsibilities and the appropriate procedures to perform during a cyber security incident.
When the participants perform specific processes in a particular order to manage the cyber security incident scenarios effectively, it passively stimulates their thinking process. It improves their decision-making ability in a simulated high-stress level environment. During an actual cyber security attack, they are accustomed to the chaotic environment as they are familiar with the actions required to perform at the respective stages of a cyber security attack. Their improved thought process and decision-making ability facilitate the smooth flow of execution of the process to manage the cyber security attack efficiently.
Different aspects of the organisation are affected in a cyber security attack. A lack of coordination between the different aspects can cause the organisation to suffer more damage than necessary.
“Teamwork makes the dream work”; when everybody is on the same page aiming to ensure that operations of CBFs can continue in the event of a cyber security incident, potential impacts can be minimised. The organisation can continually provide products or services to their consumers.
Information is necessary to make the appropriate decisions so the cyber security incident can be resolved efficiently. Depending on the organisation's profile, various aspects will be involved in tackling the cyber security attack. Appropriate communication channels should have been pre-established so that every relevant party is aware of the current situation and that the exchange of information is facilitated to decide which component of the CIR plan is to be activated.
The unpredictability and volatility of a cyber security attack are very dangerous to all organisations. Regardless of the amount of preparation, some organisations still fail to manage cybersecurity incidents effectively. As cyberspace is ‘live’, it is challenging for the organisation to pinpoint the vector from which cyber criminals will attack and determine how the situation will develop. Hence, the only way is to train the employees on their critical thinking skills and ability to swiftly make appropriate decisions in a high-stress environment.
Having the CIR Plan documented is insufficient as the employees can neglect the contents, leaving the organisation vulnerable to potential cyber security attacks. Therefore, tests and exercises must be conducted to ensure that every employee within the organisation knows the content of the CIR Plan and that they can execute the appropriate procedures, improving the organisation's overall ability to manage cyber security incidents effectively.
Overview of Testing and Exercising | Test Design | Types of Tests |
Scheduling | 9.7 Baseline for Success Criteria | Back To: Table of Content |
Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 9 Testing and Exercising 9.7 Baseline for Success Criteria
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.