Jun 13, 2023

Maximizing the Effectiveness and Engagement of Your Tabletop Exercises: 4 Tips for Success

As the frequency and sophistication of cyberattacks continue to escalate, it’s more important than ever to ensure that your people, processes, and technologies are ready to respond quickly and effectively when incidents occur. A well-prepared organization is critical to maintaining  the financial and operational impacts of cyberattacks minimal

Tabletop exercises are a great way to ensure your team is ready for any cyber incident.  But we’ve seen that too many organizations need better-designed and executed tabletop exercises that give them a false sense of security and leave them ill-prepared for real-world external threats.

Tevora’s cybersecurity experts have helped many clients create and execute effective tabletop exercises. We’ve developed a proven methodology that results in cost effective practices, guards against the latest cyber threats, and keeps teams engaged and focused by incorporating real-world scenarios and gamification elements. 

 In our experience, a tedious tabletop exercise could be more effective. Participants tend to drift off and lose focus, significantly reducing the effort’s value. To avoid this, we try to keep things light, creative, and fun! In this blog post, we’ll identify four critical elements for developing exercises that ensure your organization is well-prepared for anything cyber attackers may throw at you. We’ll also review Tevora’s tabletop exercise methodology and recommend additional resources for a deeper dive into this topic.

Four Key Elements for Developing Effective Tabletop Exercises

Our extensive experience working with clients to develop and execute tabletop exercises has taught us what works and what doesn’t. In this section, we review four elements that are essential to creating effective tabletop exercises.

1.     Develop Customized Scenarios

Use detailed, customized scenarios that accurately reflect your environment. Using generic, cookie-cutter exercises won’t cut it. Your exercises should use real people in actual departments responding to real-world cyber incidents of your organization’s existing business, security, and technical environment. 

2.     Gamify it! 

There is nothing worse than a dreadfully dull tabletop exercise. Before long, eyes are glazing over, people are checking phones, and the exercise becomes a big-time suck

One effective way to keep your exercises engaging and fun is to “gamify” them. 

Gamification is using game mechanics and game thinking to engage users in solving problems and motivating them by introducing elements of competition and reward. Gamification techniques leverage our natural desires for socializing, learning, mastery, competition, achievement, status, self-expression, altruism, closure, or simply our response to framing a situation as a game or play. 

One of our favorite gamification techniques is to use physical “Things Happen” cards that walk team members through real-world attack scenarios and test their ability to identify and diagnose incidents and respond appropriately. 

Tevora has had great success incorporating gamification techniques in tabletop exercises for clients. We get rave reviews on our exercises. And feedback from client management is that they are beneficial in identifying weaknesses in cyber defenses and improving incident response effectiveness.

3.     Leverage NIST SP 800-61 and CMM to Identify Incident Response Gaps

Conduct a detailed review of your incident response, policies, procedures, and guidelines to see how they compare to the Department of Commerce’s National Institute of Standards (NIST) Technology Special Publication 800-61 Revision 2 Computer Incident Handling Guide. Develop tabletop exercises that highlight significant gaps identified in this review.

We also recommend using the Capability Maturity Model (CMM) methodology to help identify gaps in your incident response readiness, which can inspire tabletop exercise scenarios. As part of this, we suggest doing formally assessing your incident response capabilities to determine your organization’s level of maturity. The assessment will result in a score that puts your level of maturity into one of the following five categories:

  • Initial: The organization’s processes are ad hoc, and no formal process exists. The organization relies on the individual skills of its employees.
  • Repeatable: The organization has established formal processes that are not yet fully documented or consistently followed.
  • Defined: The organization has documented its processes and practices and follows them consistently.
  • Managed: The organization measures and monitors its processes to ensure they are effective and efficient.
  • Optimizing: The organization continually improves its processes to achieve better performance.
4.     Work with Insiders

Work with one or more insiders in the areas where you plan to develop tabletop scenarios. Developing these scenarios will help ensure your strategies are plausible and realistic. For example, if you want scenarios that test the organization’s ability to restore Identity and Access Management (IAM) data from backups if production IAM data is compromised or corrupted, pick insiders that know your backup and restore processes and technologies inside out. Work with them to choose scenarios that keep them up at night. This will ensure your tabletop exercises are relevant, realistic, and likely to highlight opportunities for improvement.

Tevora’s Tabletop Exercise Methodology

Our methodology for developing and executing tabletop exercises has been carefully honed over the years and is highly effective at developing cost-effective exercises that are relevant, engaging, and fun. Key elements of the methodology include:

1.     Diverse Simulations
  • Cyberattacks such as ransomware, phishing, spear phishing, denial of service, social engineering, and other common attack techniques.
  • Policy violations such as copying company data, harassing emails, and more.
  • Disaster Recovery and Business Continuity plan to ensure your organization is prepared.
2.     Incident Management
  • The ability to simultaneously coordinate with your senior leadership, legal, and security teams to solve the tabletop exercises.
  • Continuous communication throughout the tabletop engagement process, keeping all stakeholders updated and informed.
3.     Incident Scope
  • All tabletop exercises are tailored to your specific environment.
  • In addition to cyber incident response exercises, our team has extensive experience developing scenarios for responding to catastrophic events such as fires, earthquakes, or active shooter incidents.
  • We greatly analyze your policies, procedures, security tools, and resources to identify gaps that might increase risk.
4.     Collaboration
  • We strive to create a no-fault, no-wrong-answer, and no-blame environment. 
  • Teams work together, keeping an open line of communication.
  • Team members work with each other and other people in your organization to solve the incident. 
5.     Tabletop Exercise Report
  • After the exercises, we provide a graded report card detailing your organization’s performance.
  • The report Identifies gaps in systems, processes, and human resources that respond to incidents in your environment.
  • Remediation recommendations outline your organization’s requirements to handle incidents to properly.

Additional Resources

For a deeper dive on the topics covered in this blog post, check out these Tevora resources:

Tevora Can Help

If you’d like to learn more about Tevora’s tabletop exercises or would like help implementing them in your environment, our team of experienced security experts can help. Give us a call at (833) 292-1609 or email us at sales@tevora.com.