Beruflich Dokumente
Kultur Dokumente
It is foolish to wait until an enterprise is in the midst to prevent failures and overcome challenges has
of a data breach to test its cybersecurity incident been recognized. Cybersecurity professionals need
response plan (CSIRP). How likely is it that the to acknowledge these shortcomings and explore
enterprise will know that a cyberattack is underway new mechanisms to manage them. The LSP
and be able to react appropriately? Are the method has proved to be one mechanism that
enterprise’s current policies and procedures enriches and improves cybersecurity incident
sufficient to effectively detect, respond to and response TTEs and reduces the risk of failure.
mitigate sophisticated cybersecurity incidents?
The Value of Tabletop Exercises
The use of tabletop exercises (TTEs) can help
answer these and other questions. TTEs are A TTE presents a realistic cybersecurity incident
designed to prepare for real cybersecurity incidents. scenario to which an enterprise must respond.
By conducting TTEs, an incident response team Participants in the exercise describe how they
increases its confidence in the validity of the would react during the incident, what tools they
enterprise’s CSIRP and the team’s ability to would use and what procedures they would follow.
execute it.1 At the end of the exercise, the enterprise can
determine where its incident response plans and
The Lego Serious Play (LSP) method can support, policies are working well, where there is room for
improve and strengthen the design, execution and improvement, and how it can refine its CSIRP
outcomes of the TTEs an enterprise uses to assess
the capabilities, effectiveness and maturity of its
CSIRP. TTEs help determine whether the current
CSIRP is able to detect, respond to and mitigate
incidents in a timely and successful manner. They
can also ascertain whether the right people are in
place, whether they are aware of and committed to
their duties during a real cybersecurity incident, and
whether they can execute the procedures correctly.
”
RESULTS OF A TTE CAN SATISFY THESE • Assess the capabilities of existing resources and
identify needed resources.
REQUIREMENTS.
moving forward. Increasingly, clients, insurers,
Methodology for Planning and
auditors and regulators require evidence of Performing Tabletop Exercises
preparedness, and the results of a TTE can satisfy TTEs must follow some widely accepted
these requirements. methodology or guide. NIST SP 800-84, for
example, focuses on TTEs and functional
A variety of standards, regulations and guides exercises.10 It can help enterprises design, develop,
related to cybersecurity incident response conduct and evaluate testing, training and exercise
recommends the testing of CSIRPs. Figure 1 events in an effort to assist personnel in preparing
provides a sampling of standards from NIST,3, 4 the for adverse situations involving IT.
Payment Card Industry Security Standards Council
(PCI SSC),5 the SANS Institute,6 the International TTEs are discussion-based exercises. Personnel
Organization for Standardization (ISO)/International meet in a classroom setting or in breakout groups to
Electrotechnical Commission (IEC)7 and ISACA®.8 discuss their roles during an emergency and their
responses to a particular crisis situation. A facilitator
The US Department of Homeland Security’s Ready presents a scenario and asks the participants
Campaign,9 designed to educate and empower questions related to the scenario, which initiates a
US citizens to prepare for, respond to and mitigate discussion of roles, responsibilities, coordination and
emergencies, summarizes the benefits and decision making. Figure 2 outlines the NIST SP 800-
outcomes of exercises to test response plans. They 84 methodology for conducting a TTE.
include the following:
• Identify planning and procedural deficiencies. Failures and Challenges of Tabletop
• Clarify roles and responsibilities.
Exercises
TTEs are not exempt from weaknesses and
• Obtain participant feedback and
discouraging results.11 Disengaged staff, low
recommendations for program improvement.
attendance, inattention during the exercise and
• Measure improvement compared to other failures have been identified. They include
performance objectives. the following:
Conduct the
Because many of the failures of TTEs are related to
TTE event. interest, interaction, engagement and participation,
creative solutions are needed, and this is where
game-based learning and gamification can help.
• Lack of clear and achievable objectives—Do not An example of game-based learning applied to
overcomplicate the objectives of the TTE, and TTEs is Backdoors & Breaches, an incident
make sure they are achievable. response card game that is simple in concept,
easy to play and fun.13
• Irrelevance—The value of a TTE is the
opportunity to discuss individual interests Gamification is the craft of deriving fun and engaging
(related to areas or roles) and to explore new and elements found typically in games and thoughtfully
unforeseen issues. applying them to real-world or productive activities.
• Tedium—TTEs are a means to expand the scope Game mechanics such as points, challenges,
of an enterprise’s human, process and leaderboards, rules and incentives make game-play
technology assets. For some individuals, the enjoyable. Gamification applies these mechanics to
prospect of a TTE meeting may not be exciting, motivate the audience to achieve higher and more
so it is important to make the exercises meaningful levels of engagement.14
interesting.
Many enterprises have experimented with
• Boring scenarios—The TTE scenario should gamification to improve end-user awareness. The
ensure that all the participants are engaged. results have been remarkable.15 Games have the
Maintaining their interest in the conversation ability to disarm people, negating their natural
throughout the session can be difficult, but it can aversion to meetings because games make them fun,
be accomplished by including issues that are and most games are associated with the chance to
specific to the participants’ areas of responsibility. win. Although using games to increase people’s
• Lack of visual appeal—Pictures, short videos, engagement with work may seem counterintuitive,
manipulated images, simulated news and social game playing appears to be paying off in the areas of
media messages can create realism and keep cybersecurity awareness, incident response exercises
participants engaged. Failure to present a and cybersecurity skills development.
visually stimulating experience will result in less
interaction and more disengagement. Lego Serious Play Method
• Exercises that are too challenging or not In the search for innovative and proven methods of
challenging enough—Achieving the right balance game-based learning that can be used without any
can be difficult. If scenarios go too far, restrictions in the development and execution of TTEs
participants may be overwhelmed by the various and can mitigate the failures described previously,
problems presented to them. This can lead to a LSP is an obvious choice. In simple terms, LSP is a
reduction in active participation during the TTE. systematic method that enables people to use Lego
The same is true for a scenario that is too easy bricks to solve problems, explore ideas and achieve
to handle and does not test the team. objectives.16 Lego bricks are combined with animals,
”
BUSINESS PERFORMANCE, WITH THE FOCUS stake in the agenda.
Enterprises are strongly encouraged to adapt LSP is not just for incident response TTEs. Once
scenarios to use in their own incident response cybersecurity professionals understand and have
exercises. For TTEs executed with LSP, sample practiced and tested the LSP method, they can use
scenarios can be found in the Center for Internet it for other types of workshops, including security
Security (CIS) guide21 or appendix A of NIST SP 800- awareness, skill building, team building,
61.22 If an enterprise wants to simulate incidents cybersecurity program goal setting, cybersecurity
using cloud-based services, Amazon Web Services behavior modification and cultural activities within
(AWS) provides sample scenarios.23 the community, enterprise, workplace and home.