Tabletop exercises can assist organizations in effectively preparing for the actions they must take in the “if, not when” current reality of business-impacting risk incidents. Experience and extensive testing, which may take the form of event simulations, are vital components of an efficient and effective enterprise resiliency program. During times of stress and concern, individuals are significantly more likely to make poor decisions. They may not be able to make appropriate decisions effectively or efficiently. Tabletop exercises provide realistic scenarios and testing conditions that can be used to assess (and ultimately improve) an organization’s crisis management and incident response capabilities. Such exercises help remove the element of surprise that can arise from an unpredictable event and aid in developing a structured, comprehensive set of methods, tactics and procedures an organization can follow if faced with a similar scenario in the future.
Effective tabletop exercises engage the audience by asking them to think critically, make difficult decisions and rise to unforeseen challenges based on changing conditions and the actions they choose. The goal of a tabletop exercise should be to test crisis management and incident response plans that have already been developed and adopted by the organization to ensure their ability to be used effectively by the intended users.
There are five key considerations for developing business resiliency tabletop exercises:
1. Ensure that the event depicted is relatable and realistic to enterprise leaders and stakeholders.
There are many possible crisis scenarios that an organization can face, but there are relatively few that are considered highly probable (and material if they occur). The most successful tabletop scenarios are those that business leaders and stakeholders find relatable and realistic. The current focus of many tabletop exercises is on cybersecurity incidents due to their frequency, business impacts and widespread media attention. This is not to say that other crisis and incident types should be ignored, but in the current threat landscape, cybersecurity must be prioritized and prepared for accordingly. When developing a tabletop exercise, it is useful to mimic scenarios and details from recent, well-publicized and business-impacting incidents. This often has the effect of engaging participants more thoroughly and lending credibility to the exercises, since there can be little doubt of the events’ plausibility.
2. Consider conducting a series of exercises that become progressively more difficult.
Tabletop exercises should be performed on a regular basis (i.e., at least annually) by organizations to test their plans and abilities to execute them. Instead of starting from the beginning and developing dramatically different exercises for each occurrence, consider adopting a campaign approach wherein each exercise builds on the previous one regarding the skills, components and concepts to be tested, even if the scenario presented is different. To build confidence in individuals who are involved in the exercises, begin with foundational, challenging, but winnable scenarios that can be navigated by following developed and trained incident response plans and playbooks. As testing scenarios are further developed, components can be added that do not have obvious solutions and instead require critical thinking about factors that may not have been considered in the organization’s existing crisis management and incident response plans.
A common mistake many organizations make during their tabletop exercises is to build scenarios that always allow the organization to achieve success at the end of the exercise. The goal of the tabletop exercise should not be to win, but instead to test the crisis management and incident response capabilities that have been developed and identify areas for improvement. Not winning often produces better learning opportunities and helps identify more gaps in incident readiness capabilities. When the organization has achieved a high capability maturity regarding its incident response capabilities, scenarios can be created that require more critical and dynamic thinking and decision making. The consequences of poor decisions can then be integrated into the scenario more effectively. The success criteria for these kinds of tests should be focused on the ability of the organization to navigate difficult and challenging situations in iteration and to learn, pivot, adopt and overcome stressful situations.
3. Identify and document expected behaviors in alignment with incident response plans.
Tabletop exercises should be developed using crisis management and response materials and playbooks to ensure that they align with the behaviors that have been trained and are expected. It is important to compare the expected behaviors of those being tested with their actual behaviors during the exercise. Diversions from expected behaviors should be reviewed to see if they are more appropriate than those originally expected (and, in turn, materials should be updated accordingly) or if corrective training needs to be provided to the group being tested.
When developing a tabletop exercise, it is key to create segments within the test that create logical and progressive phases of the exercise (e.g., initial event recognition, initial actions, progressive analysis actions). The moderator of the tabletop exercise should track expected vs. actual behaviors at each phase of the exercise to be used as part of the post-exercise review and continuous improvement activities. This will help both enterprise leadership and moderators evaluate the effectiveness of the materials that were used in the test, identify opportunities for improvement of the materials and develop enhanced and targeted training for the individuals who participated in the test.
4. Use stress events throughout the exercise to stimulate critical thinking.
Unfortunately, incidents rarely unfold in such a way that an individual or organization can follow training and playbooks to address them comprehensively without having to consider events that have not been accounted for. Crisis management and incident response activities are already inherently stressful to all involved. The ability to adapt to (and overcome) unplanned events during a response is just as important as the ability to follow prepared training and playbooks. To be realistic, tabletop exercises should include stress events that are not accounted for in training or materials, but that need to be considered and addressed in real time during the test. Stress events should be challenging, difficult, confusing and somewhat ambiguous to force the group being tested to question their current courses of action and consider new variables.
Common stress events that are plausible may include key staff not being available to assist in a response activity or becoming unavailable during an activity; failure of plans/actions that were believed to be able to address the event; outside parties applying pressure to the organization; failures of key technologies; and mistakes made by responders that cause increased material impacts that will require additional corrective actions. Each scenario will lend itself to plausible and realistic stress events that should be included in various phases of the test. In the post-exercise review, the handling of stress events should be highlighted and scrutinized to help individuals identify how they can better address these types of situations in actual response activities, as well as opportunities to improve response materials and playbooks to account for the identified possibilities.
5. Inject ambiguous details and questionable data points throughout the exercise that may or may not be part of the core incident.
Throughout real incident response activities, responders may be presented with a significant amount of ambiguous, extraneous, often erroneous information that they will need to quickly process. This is especially true during the first 72 hours of any material incident, also known as the “shock and awe” period of crisis management. During this time, there is often confusion, speculation, numerous simultaneous and often conflicting data points, very high stress and frequent disorganization. Tabletop exercises should prompt participants to simulate such situations to help them learn how to manage situations effectively and be efficient in their response activities.
Building Muscle Memory
Tabletop exercises are an invaluable tool in helping organizations become more efficient in their crisis management and incident response capabilities. To be effective, these exercises must be plausible, adaptable and challenging. When tabletop exercises are used correctly, organizations can build muscle memory that helps them counteract the inherent stress, surprise and confusion often associated with crisis management and incident response activities. This instills in employees the confidence that they need to meet any challenge.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CDPSE, CISSP, ISSAP, ISSMP
Is the president of IP Architects LLC.