Analysis / Preparing for a Cyber Crisis: Master the art of running tabletop security exercises
Preparing for a Cyber Crisis: Master the art of running tabletop security exercises
31 October 2018 |
Table-top exercises are excellent tools for teaching crucial incident response skills and for working the bugs out of complex processes. The secret to designing and moderating productive exercises comes from the last place you’d expect.
Earlier this month I proposed that CSOs need to pre-emptively prepare their staff, superiors, and critical stakeholders on how to respond properly to major security incidents. The technique I recommended was the ‘table-top exercise’ (aka ‘sand-table exercise’): a guided, scenario-driven discussion where everyone learns who does what, when, and why during a crisis to understand how best to communicate, coordinate, and report on their specific functions. These exercises can be a highly-effective training tool … when they’re planned and run well. That leads to the logical question: how do I become proficient at designing and running these things?
The obvious answer is to invest heavily in preparation. Plan your scenario. Review your governing regulations. Trace your RACI  charts. Write a script that details what will happen when in your training scenario. The more that you prepare before your students arrive, the better the experience will be for everyone. Right? Well … yes and no.
Preparation is extremely important. Experienced soldiers and seasoned project managers will advise you that a smart leader uses every available minute to think through everything that might go wrong and then develop detailed, comprehensive contingency plans to address each potential issue. Sure, there’s great value to be gained in planning; planning alone, however isn’t enough.
There has never in the history of business been a policy comprehensive enough to address every possible contingency.
Why? Because of people. Remember: the entire purpose of holding table-top exercises to work the bugs out of a complicated process when the consequences for failure are minor. If everyone already knew exactly what to do, there wouldn’t be any need to conduct the training! You host a table-top exercise (or ‘dry run’ or ‘guided walk-through’; call it what you will) specifically because at least one (if not every) stakeholder may not be fully aware of (or even able to perform) their part of the complex, integrated process. Exercises are conducted to train the people who don’t know what to do, to reinforce training for the people who do know what to do, and to determine where challenges might manifest.
That last element is the most important part of the experience: even when you think that you have the perfect plan, there’s always an error, or misalignment, or change that you aren’t aware of that makes your perfect plan nonviable. It’s no different from a ship’s ‘shake-down cruise.’ Your plan may be perfect, but design flaws, poor construction, or changing tactics may undermine your design’s operational effectiveness. Better to find out in practice so that you have time to fix the problems than wait until the stakes are high.
Planning is crucial but so too is reacting to unexpected problems. How do you get really good at performing both of those skills? The answer is perfectly-timed for Halloween: become a dungeon master! No, really. I know it sounds crazy. It isn’t. Follow my logic:
The games that we now know as ‘Role-Playing Games’ (RPG) got their start in 1974 when a couple of ardent table-top wargamers named Gary Gygax and Dave Arneson created a new set of rules for adding interactive story-telling, narrative plots, and recurring characters to traditional board games. They called their game ‘Chainmail’ at first, then kept adding rules to expand the game’s verisimilitude until it evolved into the phenomenon that we now know as ‘Dungeons & Dragons.’ It’s since become a global brand. D&D is still going strong in its fifth edition and it’s inspired hundreds of variations covering everything from science fiction epics to superhero romps to Stranger Things-style coming-of-age horror stories.
What’s even better is that you can re-purpose one game’s rules to make something entirely original based on your personal tastes. I don’t know why you’d want to play a game focused on detectives going undercover in the 1970s disco scene, but I can think of three published games off the top of my head that could be re-skinned to make that come to life.
What makes table-top RPGs unique is the division of roles. One person takes the role of the ‘game master’ (or, as it was originally known, the dreaded ‘dungeon master’). That person must think up the plot, decide on the setting, create the supporting characters, and craft the story that makes up the game. It’s like being a novelist, in that playing the game involves describing a scene that’s been extensively planned with rich, vibrant characters who have complex motivations. The difference is, the protagonists in a novel are under the author’s control. In an RPG, the protagonists are all designed and controlled by the players … who tend to misunderstand story prompts, react wholly inappropriately, and confound one another (and their GM!) with bizarre reactions that no one could have foreseen.
That ‘chaos factor’ is what makes RPGs so fun to play. It’s also what makes them optimal training grounds for table-top designers and moderators. Planning for and running an RPG session involves all the research, preparation, and detailed planning required to craft a good exercise scenario. The execution of the game involves the players’ sheer frustrating randomness and requires immediate improvisation. It forces the moderator to think up details, new scenario inputs, new characters, new logical consequences, and new believable challenges on the fly. It’s great fun, and it’s astoundingly difficult to do well.
I know that it seems crazy to think that table-top gaming skills can make you more productive at the office, but it’s true. Learning how to run an RPG session is only different from running a guided table-top exercise at the office in the sense that no one in the office gets to solve their ransomware outbreak with magic spells.
The prompt-and-response RPG technique lets you introduce each new phase of the exercise and gauge the participants’ comprehension. Reacting to their inputs clarifies their understanding of what’s happening. Often, you can uncover flawed assumptions, divergent definitions, and misunderstandings in the table-top exchanges that would probably be missed in the high-pressure environment of a real emergency.
‘No, Gary, this is NOT a good time to stop and re-read the ladder safety instructions!’
Introducing new complications into a ‘standard’ scenario helps you probe the outer edges of company doctrine to see where the ‘standard response’ is inadequate. Since you aren’t really racing against the clock, you can pause at any time to clarify policies and procedures. This helps everyone get synched, and often identifies critical gaps in core response plans. You might discover that a pivotal third-party vendor has been replaced or a service offering has changed, thereby giving you time to find a replacement.
I know it seems barmy. I truly do. Maybe even a little spooky if you’ve never encountered the table-top RPG world before. That’s okay. It’s all the same work, just done with neckties and (usually) without any fancy dice (although introducing a little randomness can make a mundane exercise memorable by taking it in directions no one predicted). It’s a tactic that I recommend because every crucial process needs to be tested and perfected before the company’s survival hinges upon it. And if a skill is worth learning, it’s worth doing well.
At their heart, table-top RPGs are just a form of interactive creative storytelling. You can make them as simple or as complex as you like and play in pretty much any genre or story type that appeals to you. Find a few friends, get yourself a starter set, roll some dice and have some laughs. The skills you’ll lean along the way will make you much better at running security table-top exercises for your key stakeholders … and that, in turn, will lead to much more effective real-world responses during a declared crisis.
 Responsible, Accountable, Consulted and Informed
Latest posts by Keil Hubert (see all)
- A guide to phishing emails and how they work - 10th June 2019
- Cyber security through storytelling: which approach will motivate your users? - 13th May 2019
- A practical guide to busting the “perfect security” myth - 7th May 2019
- Security training: why one approach is not going to work - 18th April 2019
- The importance of taking care of our people and their mental well-being - 1st April 2019