In a Dungeon & Dragons campaign, a group of players huddle around a table and embark on epic adventures as determined by the leading figure, the almighty Dungeon Master. Each player assumes the identity of a distinct character, each with their own inherent strengths: the stealthy and deadly rogue, the courageous and brutish barbarian, the disciplined and divine cleric.
Together, they confront tyrannical monsters, secure powerful artifacts, and outwit the forces of evil.
However, despite each class’s superhuman abilities or magical powers, success hinges on how the team functions as a whole. The meticulous development of skills, strategic collaboration, compensation of each other’s weaknesses, and adaptation to unpredictable encounters all determine whether the campaign is successful or not.
And although your team will never have to slay an ogre, these skills exercised in a Dungeons and Dragons campaign transcend the realm of fantasy. Tabletop exercises can also be used to foster collaboration and practice incident response playbooks with your cybersecurity and operations teams.
By simulating potential security incidents, your team members can practice their response in a controlled, low-risk environment. So, when a digital dragon does threaten the proverbial village, each real-world adventurer understands the role and responsibilities they hold and are prepared.
What are Tabletop Exercises?
Tabletop exercises are scenario-based discussions that simulate potential security incidents, allowing team members to practice their response in a controlled, low-stakes environment. These exercises involve role-playing, where participants assume specific roles and responsibilities within the incident response plan. The primary goal of tabletop exercises is to clarify these roles and responsibilities, ensuring that everyone knows what is expected of them during an actual security or disaster event.
By working through a simulated scenario, participants can identify potential gaps in their understanding, communication, or procedures. This allows them to refine their actions and decision-making processes, leading to improved coordination and a more effective response during a real crisis. Tabletop exercises are not designed to be tests or evaluations of individual performance. Instead, they are collaborative learning experiences where participants can safely explore different approaches, make mistakes, and learn from them without fear of consequences.
The focus is on fostering a culture of open communication, critical thinking, and decisive action along with ensuring the company’s business continuity and incident response plans are actionable. Throughout the exercise, facilitators guide the discussion, present challenges, and encourage participants to think creatively about how to respond. This helps to develop problem-solving skills, adaptability, and the ability to communicate effectively under pressure.
After the exercise, a debriefing session is held to review the team’s performance, identify strengths and weaknesses, and discuss lessons learned. This feedback is invaluable for improving the organization’s incident response plan and overall preparedness for cyber threats. By incorporating these insights, organizations can enhance their ability to detect, respond to, and recover from security incidents quickly and efficiently.
Roles of a Tabletop Exercise
To run a tabletop exercise, your organization will need to assign specific roles to team members:
- Facilitator: The facilitator assumes a pivotal role in orchestrating the tabletop exercise. They initiate the proceedings by presenting the initial scenario, setting the stage for the simulation. As the exercise unfolds, the facilitator dynamically steers the course of the simulation, introducing updates and modifications in response to the actions and decisions undertaken by the participants. This role demands a comprehensive understanding of the scenario, adept communication skills, and the ability to maintain the flow and momentum of the exercise. Ideally, the facilitator role should be limited to one or two individuals to ensure clear direction and avoid conflicting guidance. For smaller teams, this role may be difficult to take, as participation as a key player may also be required. In this case, consider assigning the facilitator role to a member of a security partner. The team at Netragard would be more than happy to assist in a more formal setting.
- Players: The players form the core of the tabletop exercise, actively participating in the simulation and assuming the roles and responsibilities inherent to their positions within the organization. They engage in discussions, make decisions, and take actions in response to the evolving scenario. The players’ performance during the exercise offers valuable insights into their comprehension of procedures, their decision-making capabilities under pressure, and their ability to collaborate effectively within a team. The majority of participants in a tabletop exercise should be assigned the role of players.
- Observers: Observers play a supportive role in the tabletop exercise, offering a detached perspective and providing valuable insights to enhance the learning experience. They closely monitor the actions and decisions of the players, asking pertinent questions and offering additional information to stimulate discussion and enrich the simulation. Observers may include individuals from within the organization such as executives or representatives from outside the information technology and cybersecurity departments, as well as external parties such as third-party contractors or subject matter experts. Their contributions can help to identify strengths, weaknesses, and areas for improvement in the organization’s incident response capabilities.
- Scribe: The scribe fulfills a crucial function in the tabletop exercise by meticulously documenting the entire simulation. They transcribe the discussions, record the decisions made, and note whether the established incident response plan was adhered to. The scribe’s documentation serves as a valuable resource for post-exercise analysis, enabling the organization to identify areas of success, pinpoint shortcomings, and refine its incident response plan for enhanced effectiveness.
Conducting a Tabletop Exercise
After distributing the roles and ensuring that everyone has a printed copy of the incident response plan and updated contact lists, the tabletop exercise can begin:
- Introduction and Objectives: The facilitator kicks off the exercise by presenting the scenario. This scenario should be a realistic situation that could potentially impact the organization. Along with the scenario, the facilitator clearly outlines the remediation objectives. These objectives are the desired outcomes of the exercise, the goals that the participants should be working towards as they navigate the scenario.
- Freeform Discussion and Idea Generation: With the scenario and objectives laid out, the players engage in open discussion. This is a brainstorming phase where all ideas are welcome. Players are encouraged to share their thoughts on how to respond to the scenario, building on each other’s suggestions. The facilitator plays a crucial role here, guiding the discussion and ensuring that it stays focused on the scenario and the objectives. If the conversation starts to veer off track, the facilitator steers it back on course.
- Observer Challenges and Deeper Analysis: While the discussion is ongoing, observers are actively listening and analyzing the ideas being presented. An observer’s role is to challenge the players to think more deeply about their suggestions. At appropriate moments, without interrupting the flow of the discussion, observers interject with questions or comments that push the players to provide more details or consider different perspectives. This helps to refine the ideas and ensure that all aspects of the scenario are being considered.
Gaining the Most from a Tabletop Exercise
By incorporating the following principles into your tabletop exercises, you can create a more engaging, informative, and impactful experience for all participants:
- Relevance of Scenarios: The scenarios utilized in the tabletop exercise should be closely aligned with the specific threat landscape that your organization faces. This can include drawing inspiration from industry-specific breaches, emerging threat vectors, and potential vulnerabilities within your sector. By grounding the exercise in realistic scenarios, players can better understand the potential impact of threats and develop effective response strategies.
- Focus on General Approach: While it’s important to consider the unique aspects of your organization’s technology stack, the tabletop exercise should not be overly focused on specific technologies. Instead, a more general approach should be adopted to account for a wider range of potential vulnerabilities and attack vectors. This allows for a more comprehensive exploration and ensures that the exercise remains relevant even as technologies evolve.
- Flexible Timeframe: To facilitate a thorough exploration of the scenario and encourage open discussion, it’s crucial to avoid imposing a rigid timeframe on the tabletop exercise. Instead, allocate a range of hours to allow for in-depth analysis, brainstorming, and the development of creative solutions. By fostering a less restrictive environment, players are more likely to engage fully in the exercise and contribute valuable insights.
- Emphasis on Collaboration and Creativity: It’s essential to create a safe and supportive environment where players feel comfortable sharing their ideas and perspectives without fear of judgment or evaluation. Reiterate that the exercise is not intended to assess individual performance but rather to foster collaboration and generate innovative solutions. By emphasizing the collective goal of enhancing organizational preparedness, players are more likely to contribute their unique expertise and insights.
Tabletop Exercise Resources
If your organization is not yet familiar with tabletop exercises, there are several various resources available to get you started:
Card Games
- CyberSecureDeck: The Defend the Network card game, which can be downloaded as a .zip file, provides high-level operational scenarios that team members can play through, taking on various roles across different departments. This game is great for first time table top groups where the focus is on organization and processes and it best played with 5+ participants. It is less technical than the other games that follow and also allows individuals to take on roles as other organizational units like HR, Compliance, and Legal which can help participants to understand how each function can be crucial for business continuity and incident response.
- Backdoors & Breaches: Black Hills Information Security offers both a physical 52-card deck and an online version, with 3,840 possible incident scenarios. It is designed to simulate real-world cybersecurity incidents and test a team’s ability to respond effectively. This is the gold standard for incident response games today. BHIS is constantly releasing additional card packs to augment the game and scenarios. In addition, there is a 2-player competitive mode as well and a free online version to play for remote teams. There is even a ChatGPT Game Master if you want AI to lead the game and scenarios for you.
- Emergynt Risk Deck: This card deck also generates various incident scenarios. It can be used to create 4,000 realistic and engaging tabletop exercises that help teams prepare for a wide range of potential emergencies.
Incident Scenario Templates and Frameworks
- CISA Tabletop Exercise Packages: The U.S. Cybersecurity and Infrastructure Agency (CISA) provides over 100 incident scenario templates that can be used to create tabletop exercises.
- CIS Six Tabletop Exercises: The Center for Internet Security (CIS) offers six downloadable incident scenarios for tabletop exercises.
- NCSC Exercise in a Box: The National Cyber Security Centre (NCSC) offers 20 exercise templates covering 12 different topics.
- Dungeons and Data: Made Popular from a RSA 2018 conference session, Josh Bressers led a full scenario with 30+ attendees and has made the content available for use for anyone along with his detailed review of the roles and outcomes from the sessions.
Social Media
- @badthingsdaily: This account posts daily incident scenario ideas. It can be a valuable resource for organizations that are looking for new and creative ideas for tabletop exercises.
Conclusion
When it comes to being prepared, you want to make sure you roll a natural 20, not the dreaded 1. Think of tabletop exercises as the Dungeons & Dragons adventures of the cybersecurity world: they infuse training with gamification and role-playing, transforming routine drills into dynamic opportunities for your team to sharpen their strategic thinking, collaboration, and adaptability—all while enjoying the process.
It’s time to trade in those dreaded, monotonous training sessions for something your team will actually anticipate. By making training memorable and enjoyable, you foster a more engaged and motivated workforce. This positive shift doesn’t just boost morale; it leads to more effective business continuity and incident response plans, ultimately strengthening your organization’s security posture and resilience.
