I was mistaken.
Often the exercise is meant to shine a spotlight on how unprepared a company is if an incident were to occur. A tabletop exercise could be to demonstrate to management that in the event of a breach they don't know who is responsible for what, what the proper response should be, when to involve legal council, when to involve law enforcement, etc.
Table top exercises are an effective tool for measuring an organization's capability of responding to an incident throughout all maturity levels.
This point highlights the importance of having a clearly defined objective before heading into a tabletop exercise. Objectives should align with past, current, and future capabilities. The objectives enable tabletop planners to design the scenario to be inclusive of all stakeholders and test the cohesiveness of supports systems in response to potential cyber attacks.
The next step should be to develop the team who will design the exercise. This could be an outsourced resource who can objectively review policies and procedures and design an exercise based on provided documentation. The design team could also be internal resources familiar with the processes in-house. The objectives should drive defining the personnel required to design scenarios. The designers should not be a part of the exercise itself. The designers should also be unencumbered from pressures of the results of the exercise (political or otherwise). The design team should be allocated anywhere between 1 to 3 months to adequately plan the exercise.
The design team will flush out all the participants in the exercise. It is key for a table top team to understand the audience of the exercise. It has to tailor its language to be inclusive. The exercise must also speak to the environment of the organization. Specific tools they use, understanding of security concepts, native acronyms, are among the things that may need to be accounted for when designing the exercise. The participants should all be able to understand and track the scenario as it is executed during the exercise.
In order to build an effective table top exercise the design team must account for these common issues with table top execution:
- Cyber scenario objectives not clearly defined.
- Rules of engagement not clearly defined.
- Reduced awareness due to Senior leaders not involved in planning.
- Cyber injects are not executed as planned.
- Training audience fights against scenario
- Account for logistical/technical issues during execution
Now that your team is built, the objectives defined, and the audience identified, the designers will be able to begin building the scenario. Designers must build realistic events that could occur that impacts the organization, partners, and stakeholders. The scenario will be closely tied to the objectives of the exercise. The scenario is comprised of scripted events that are meant to facilitate discussions between the different groups involved in the exercise. The scripts should allow for improvisation so simple modifications and injects (new data for participants to consider) are available.
Now all that's left is the execution and after action reports. It is necessary to have someone whose only function is to take a copious amount of notes to build the report. Candor is a necessity of any table top exercise. It is meant to identify any gaps in the organization and help develop plans to rectify any findings. It must be communicated that the outcome of the exercise is meant to make all parties involved better. The event is not meant to shame but to uplift by informing and building.
