The 4 types of Cyber Exercise that can help your organisation
Cyber exercising plays an important role in testing and developing an organisation’s cyber security posture. However just like the organisations that use them, not all cyber exercises are the same. This post will give a brief overview of the 4 main types and describe when you should use them.
The four most common types of non-intrusive cyber exercise are seminar, workshop, tabletop and game. The thing that connects and differentiates these different types of exercises is the level of maturity of the cyber security programme in the organisation using them. Here’s a quick summary of each type.
Seminar. This is aimed at organisations who are just beginning to develop their cyber security programme. The seminar is just that – a conference or meeting to discuss cyber security. At this stage, even some of the simplest seeming items may take time to understand and decide, such as who should even be involved. Exercise play consists of talking through how an incident would be handled. The seminar format works well because it is flexible and allows friction points, of which there are likely to be many at this point, to be discovered.
Workshop. These begin to formalise the output of the seminars into actual policies and procedures that will govern how an organisation responds to a cyber incident. Like the seminars, they offer a flexible platform for exploring how the developing plans would respond to a real life scenario.
Table top. These begin to properly test the documented policies and procedures. These are less flexible and look more to assess how effective the policies are in the contemporary threat landscape. Whereas the seminar and workshop dealt with isolated incidents, table top exercises begin to introduce a narrative and more complex situations.
Game. These aim to test the organisation’s response in the full range of realistic scenarios. An exercise narrative will be established to provide context and the training audience will be exposed to cues as if they were experiencing a serious cyber security incident.
It is important to pick the right level of exercise for your organisation. If the exercise is not aligned correctly with the organisation’s cyber security maturity then the objectives will be unachievable – you can’t test how a procedure would perform in a real scenario if the procedure doesn’t yet exist.