In-depth preparation (Rainey, 2017) will most likely result in successful tabletop exercises. Before developing the cyber scenarios, the team designing the test has to meet some prerequisites.
The tabletop exercise's targeted audience is busy performing daily operations, some of which are of higher priority and take precedence over the exercise. Hence, the number of scenarios, the timing and the location of the exercise should be determined early so that the participants can set aside time to participate. Once these three factors are finalised, minimise the probability of changing them, as any changes might result in conflicting schedules.
The attendance of participants for the exercise is crucial because it ensures that all members are aware and trained on the appropriate response procedures to undertake during a cyber security attack.
Additionally, the team has to determine who should be taking part, depending on the scenario. From here, different objectives are established for which the participants of the exercise will aim.
The success or failure of the exercise is determined by how many objectives are met. If the exercise is a success, the participants can return to their respective departments and train their staff on the procedures.
If it is a failure, adjustments must be made to improve the CIR plan. Once the improvements have been made, a follow-up exercise is conducted to evaluate the improved procedures. This cycle continues until all objectives of the exercise are met.
The scenarios developed have to be realistic to simulate the actual environment of a cyber security attack. Although it is less stressful than an actual cyber security incident, valuable lessons can still be gained from the exercise as the scenarios developed are aligned with the cyber security incident management processes and kill chain.
The participants of the exercise have allocated a period where they could continue their daily operations to participate in the exercise. It is also a rare opportunity for key players from different organisation departments to gather in one location.
Therefore, maximise the learning opportunities during the exercise by providing them multiple scenarios to work as a team and go through the mitigation and response procedures.
The scenarios given to the participants during the exercise should prompt interactions within themselves; through coordination and alignment of processes, the ability to manage cybersecurity incidents can improve.
Since the participants have gathered, the time spent in the exercise has to be optimal. The scenarios should highlight the severity of cyber security attacks on the organisation to instil the mindset in the participants that effective management of cyber security incidents is their responsibility, encouraging them to communicate and share opinions.
Although the scenarios require the participants to think, they should not overthink. Some participants tend to find faults (Rainey, 2017) within the scenarios as their thought processes are slightly different. Complicating the scenarios does not help anybody as it throws the entire exercise into mayhem, making communication between parties much more difficult. It is the facilitator’s responsibility to prevent this situation from occurring. Under normal circumstances, when the participants reach a dead end, the facilitator should guide them by asking questions, not giving the answers directly, so the participants can adjust their thought process and response procedures appropriately to resolve the scenario.
Based on the exercise results, the organisation can decide if they can proceed with testing another component of the CIR plan or if some adjustments must be made to the documentation and a follow-up exercise needs to be conducted.
One of the objectives of conducting a tabletop exercise is to improve the organisation’s ability to manage any cyber security incident. Hence, during peace times, in a stress-free environment, the participants can use this opportunity to discuss and review the failures (Rainey, 2017) that were identified during the exercise.
Actions that can be implemented to improve the plan document are identified and followed up on.
After multiple tabletop exercises, the participants become accustomed to the environment simulated from cyber security incidents and the level of teamwork between the respective parties increases. The focus should shift to executing specific processes and procedures to handle targeted simulations.
The goal of the tabletop exercise (State Office of Cyber Security, 2016) is to increase security situational awareness and to facilitate discussion of incident response in as simple a manner as possible, targeting a time range of 15 minutes. The exercises provide an opportunity for management to present realistic scenarios to a workgroup to develop response procedures.
An employee just received a somewhat panicked call from one of the system administrators detailing that the organisation has been hit by ransomware. This ransomware seems to have infected and then encrypted all the data, including backups, of two of the servers. According to the ransom the organisation received, it must pay it in a week, or the encryption key will be deleted and the data lost forever.
The work week is bustling, and people are asking why the servers are down. How should the organisation respond?
Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 30 Appendix 20: Designing a Cyber Security Table Top Exercise
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.