Annual cybersecurity incident response tabletop exercises are best-practices and strongly encouraged. Whether this is the organization’s first tabletop or a regular occurrence, consider the following tips to keep the exercises fresh and engaging:
On-demand participation:
Assembling the incident response team may mean gathering non-technical leadership as well as technical leaders and technical experts. Ideally, participation is mandatory, and everyone fully engages in the exercise. Realistically, though, sitting in a long discussion without needing to participate in much of it leads to poor attention or reluctance to attend. To improve attendance and engagement, revisit the guest list and consider whether some attendees can be dismissed from the exercise until their role or perspective is needed. Participation “as needed” more closely mimics an actual cyber incident; some non-technical roles are only called upon to provide their expertise periodically during an incident.
Consider providing Communications, Financial, and Human Resources, etc. with the option to leave the exercise after establishing the goals and ground rules and ask these members to be on call to return when needed. Bringing in non-technical experts for shorter time periods during a tabletop also helps the incident response team practice more realistic internal communication scenarios, where different people may be briefed at different times on the situation.
Ditch (some of) the script:
Whether it is drawing cards or rolling dice, adding an element of chance to an exercise mimics the unexpected twists that real events take. Organized threat actors know when to attack, to gain the upper hand– attacking systems during busy times of year, around holidays, and before weekends when staff are less available. By rolling the dice to see if key responders are on vacation/have retired/etc., the exercise simulates the variability of staff availability during a real event.
Choose your own adventure:
Actual incidents change in scope and duration, depending upon the decisions made during the incident. Many cyber incident tabletop scripts tell the participants what happens next throughout the incident. Instead of following a scripted “and then this happens” scenario, tabletop exercises can be more dynamic. A simple tactic is to again employ the dice roll to see whether or not a discussed action or mitigation succeeded.
Walk the talk:
Leaders around the table at the exercise may be very confident that they or their staff know how to handle a response. To better test the reality of this confidence, consider asking participants to carry out some of the response steps. If the response plan designates scribes or assigns the role of documenting, have that person write down steps taken/technical details/decisions made during the tabletop incident. If the response involves contacting a specific expert who is not at the tabletop, consider actually contacting them during the exercise. Better yet– roll the dice to see if the expert is available before contacting them versus their backup during the exercise.
Create a custom-build:
Even a few minutes to go through a scenario is better than no practice. If key participants only have an hour, keep the exercise to one hour in length. Adjust details to match the nature of the organization. Look for relevance with current events and current risk. Even a less formal quick discussion of “What would we do in this situation?” provides benefits to an organization.
Most people prefer a scrimmage for fine-tune their sporting skills, rather than sitting and talking about the strategy of the sport. By adding some of these elements to organizational tabletop exercises, the tabletop “exercise” becomes more of a tabletop “scrimmage”.
Additional References:
CISA Cybersecurity Tabletop Exercise Tips
The Power of Tabletop Exercises: What Dungeons and Dragons can Teach Us About Cybersecurity, Josh Harr, February 17, 2025, Protasec.
Exercise in a Box, United Kingdom National Cyber Security Centre