Skip to main content

Conduct a Cybersecurity Tabletop Exercise

Learning Objectives

After completing this unit, you’ll be able to:

  • Discuss the importance of realistic scenarios.
  • Identify the need to conduct a tabletop exercise.
  • Apply the steps in conducting a tabletop exercise.

Tabletop exercises hold a unique advantage within the spectrum of cybersecurity practices. They foster a rare convergence of diverse members across the organization, uniting cyber and non–cyber personnel in a collaborative environment. Given this cross-departmental gathering, the development of scenarios becomes a critical pillar of the exercise.

However before delving into scenario development, let’s first revisit and reflect upon content covered in the previous unit.

Knowledge Check

Ready to review what you learned in the previous unit? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, match each question from the first column below to the Tabletop exercise step in the second column that will most likely address the question. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Scenario Development

Of all the steps in creating a tabletop exercise, one of the most important is choosing the right scenario. Scenarios must be complex enough to test the cyber team’s technical response but also clear and relatable so that non-cyber participants can contribute to strategy and decision-making processes.

Realistic Scenarios

The plausibility of the scenario is one of the most crucial aspects of a successful tabletop exercise. Simply using a generic scenario from the internet or hastily creating an exercise without considering its relevance and realism can lead to an ineffective and unengaging experience. Key points to consider include:

  • Relevance to the Organization: The scenario must be tailored to reflect the specific risks, vulnerabilities, and operational context of the organization. This ensures that the exercise addresses realistic challenges and decision-making situations the participants might actually face.
  • Real-World Application: A plausible scenario helps in testing and refining actual response plans and procedures. If the scenario is not applicable to the organization’s environment or to the people attending, the exercise might fail to provide valuable insights or improvements in preparedness.

Let’s quickly look at an unrealistic scenario to understand this better.

A person holding a large blue square cube over their head standing in front of a wall of triangular holes, symbolizing the idea of a mismatch between a scenario and its usefulness.

Consider a small ecommerce company specializing in handmade crafts. The cybersecurity lead conducts a tabletop exercise using a scenario where they face a complex nation-state cyber-espionage attack. This would likely be unrealistic for them.

Here’s why.

  • Mismatch with Risk Profile: A small ecommerce company’s primary cybersecurity concerns would typically involve things like financial fraud, data breaches of customer information, or website downtime. A sophisticated nation-state attack is beyond the typical threat landscape for such a business.
  • Resource Disparity: Such an organization would unlikely have the resources or need to defend against highly advanced cyberthreats that are more relevant to large corporations or government entities.
  • Lack of Relevance: The staff in a small ecommerce company might not have the expertise or context to meaningfully engage with a scenario of this complexity, making the exercise less effective in enhancing their readiness for realistic threats.

In this case, the company would likely benefit more from tabletop exercises focused on scenarios like a data breach involving customer information, a ransomware attack impacting their online sales platform, or phishing attempts on their employees. These may be more aligned with their operational context and risk profile.

For organizations looking to use or modify existing external cybersecurity tabletop exercise scenarios, several free resources are available online.

  1. Center for Internet Security (CIS): As the publishers of the CIS Critical Security Controls, CIS offers downloadable tabletop exercises focused on various aspects of cybersecurity.
  2. Cybersecurity and Infrastructure Security Agency (CISA): CISA provides a range of resources, including tabletop exercise packages tailored for different sectors.
  3. ISACA: As an association focused on IT governance, ISACA offers guidance on using Lego Serious Play, a game based learning process, to conduct tabletop exercises.

These resources also provide templates and best practices that can be customized to fit the specific needs and context of an organization.

When Is a Tabletop Exercise Necessary?

A tabletop exercise becomes necessary in several key situations related to preparing for, assessing, and improving an organization’s cybersecurity policies and incident response, including the following.

  1. Developing or Updating Incident Response Plans: When an organization is developing a new incident response plan or updating an existing one, a tabletop exercise helps test the plan's effectiveness and identify any gaps or weaknesses.
  2. Following a Real Incident: After experiencing a real cybersecurity incident, conducting a tabletop exercise allows organizations to analyze their response to the actual incident, learn from any mistakes, and improve their strategies and tactics for the future.
  3. Compliance with Legal and Regulatory Requirements: Certain industries and sectors have legal and regulatory requirements to conduct regular cybersecurity testing. These exercises demonstrate compliance and ensure that the organization is prepared to meet regulatory standards for incident response.
  4. Testing Interdepartmental Coordination: Tabletop exercises can be used to test and improve the coordination between different departments (such as IT, HR, legal, and public relations) in responding to cybersecurity incidents.
  5. Evaluating Third-Party Relationships: If an organization relies on third-party vendors or partners for key services, tabletop exercises can be used to assess how these relationships might impact the organization’s response to a cybersecurity incident.

To summarize, a tabletop exercise is necessary whenever an organization needs to ensure that its cybersecurity plans are effective, its team members are prepared, and its strategies are aligned with the evolving nature of cyberthreats and business operations.

Now let’s look in on an organization as they conduct a tabletop exercise.

Tabletop Exercise Example Scenario: Phishing

A midsize financial technology company has scheduled its annual tabletop exercise to comply with the financial industry’s regulatory requirements for testing its contingency plans. This exercise is pivotal in validating the effectiveness of its newly updated contingency plan, which has been revised to address the recent expansion of the company’s digital services and its revised threat profile.

Preparation

In preparation for the exercise, the Incident Response Team (IRT), led by the chief information security officer (CISO), Sarah Johnson, meticulously plans the scenario. This year’s focus is on a simulated phishing attack, a highly relevant threat in the financial sector. The scenario involves a sophisticated phishing scheme aimed at extracting sensitive customer information.

Exercise Title: Phishing Attempt on Corporate Network

Time: 30 Minutes

Objectives:

  1. Develop a coordinated response to a phishing incident, minimizing data loss and restoring services.
  2. Identify areas of improvement in cyber incident response plans and overall organizational resilience during and following a significant cyber incident.

Scenario Description: While online shopping an employee used their work email to sign up for a promotional deal on an ecommerce site. Today the ecommerce site disclosed a significant data breach of login credentials. Now, departments across the company are reporting an influx of unusual emails and urgent password reset requests. At least one staff member from each of your departments has clicked on one of the links in these emails, believing it to be a legitimate request. What do you do?

Two weeks prior to the exercise, Sarah sends out briefs to department heads across the company, including IT, legal, communications, and customer service, outlining their expected participation. She also invites an external cybersecurity expert to observe and provide an unbiased evaluation of the team’s response.

Day of the Exercise

On the day of the exercise, participants assemble in a large conference room, equipped with screens displaying the company’s network and communication channels. Sarah sets the scene: It’s a typical business day when suddenly, employees report suspicious emails and password reset requests designed to look like legitimate company communications. At least one staff member from each of your departments has clicked one of the links in these emails, believing it to be a legitimate request. What do you do?

The Cyber team, led by the Security Operations Center manager, Tom, starts the discussion. Tom explains the security alert that would inform the team of a suspected phishing attempt. He then details the process of investigating the source of the emails, assessing the potential impact on the network, and identifying compromised accounts. Tom communicates these actions to the group, focusing on the steps taken to trace the phishing email’s origin.

Alex, the Cyber Engineering team lead, informs the group. In accordance with the incident response plan, they dispatch a companywide alert. They inform leaders, supervisors, and employees of the phishing attempt and instruct them to report any similar suspicious emails or activity they might encounter. The team also works diligently to find and isolate the malware that may have been introduced into the network as a result of employees clicking the suspicious link.

The legal department, under Emily’s guidance, discusses the legal ramifications, concentrating on data protection laws and describes the process used to inform regulatory bodies and potentially affected customers. They also consider the risks of potential information leakage. The communications team, led by David, follows established communication protocols to prepare a statement for partners and customers, balancing transparency with reassurance.

Customer service, in coordination with communications, prepares to handle a spike in inquiries, ensuring consistent and accurate information dissemination. Throughout the exercise, Sarah introduces new challenges: increasing reports of compromised data, heightened media scrutiny, and urgent demands from affected customers. The teams follow established protocols but also adapt their strategies in real-time, demonstrating their agility in responding to a fast-evolving situation.

Debriefing and Lessons Learned

Post-exercise, Jordan, the external expert, leads a debriefing session. She praises the team’s swift identification of the phishing source and the comprehensive communication approach. She suggests specific improvements.

  • Configure cyber tools to detect unusual network activity more quickly.
  • Create predefined response templates for customer inquiries.
  • Update the response plan to include current legal and compliance requirements.
  • Implement enhanced employee training related to use of work credentials, and recognize phishing attempts.
  • Create “emergency action cards” with concise, critical information for quick reference during an emergency.

Sarah wraps up by stressing the value of these simulations in readying for actual incidents. She encourages the team to commit to using the insights to refine their contingency and response plans, and bolster the organization’s cybersecurity awareness and defenses.

Tabletop exercises play a unique role in enhancing organizational preparedness and response capabilities. With the practice and information they provide, organizations are more informed and better able to work as a collaborative team to strategize and prepare for cybersecurity threats.

Sum It Up

In this module, you’ve been introduced to tabletop exercises, and you’ve become aware of when and how to conduct a tabletop exercise. Equipped with this understanding, you’re now able to plan, conduct, and participate in a tabletop exercise as a way of testing the strength and resilience of your cybersecurity policies and plans.

Interested in learning more about cybersecurity roles and hearing from security professionals? Check out the Cybersecurity Career Path on Trailhead.

Resources

Keep learning for
free!
Sign up for an account to continue.
Sign Up Login
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities
Skip for now