Cyber Incident Exercises - Part 1: What and Why
This article is the first in a series on cyber incident exercises. It should be read by managers and executives within organisations that are considering running cyber incident exercises.
Key points:
Exercises provide a safe, simulated means for organisations to explore their ability to respond to cyber incidents.
Exercising can achieve objectives ranging from demonstrating operational effectiveness through to meeting legal and regulatory requirements.
Organisations considering exercising should first clarify the objectives the exercise is intended to achieve.
Introduction - cyber security risk
A security incident can pose an existential crisis for any organisation. In a global survey of risk management experts published in 2024, cyber security incidents were ranked as the most serious concern by 36% of respondents. This puts cyber security incidents ahead of other risks such as business interruption, natural catastrophes, political violence, or pandemics.
Most organisations rely on third parties to provide the specialised capability required to respond to cyber incidents. This can create challenges around communication and organisational familiarity when an incident does occur. Cyber incident exercises are a useful tool for building that familiarity and muscle memory within the organisation itself, enabling more effective interaction with incident responders when the time comes.
What are incident exercises?
As a broad definition, exercises are facilitated events in which a group of participants perform their actual roles in a simulated scenario.
This definition distinguishes exercises from practical activities such as penetration testing (‘pen testing’) or breach attack simulation (BAS), which occur on an organisation’s live systems. This definition also emphasises that the role performed by the participants should be one that they are expected to perform in real life. A simulation or a game that lets participants experience an unfamiliar role or that provides initial training in a simulated environment should be distinguished from an exercise.
Among the wide range of functions that an organisation might exercise, the focus of this series of articles will be on exercises simulating a cyber security incident. The UK’s National Cyber Security Centre (NCSC) defines a cyber incident exercise as a “controlled, scenario-based opportunity for organisations to practise, evaluate and improve their cyber incident response plans in a safe environment.”
Cyber incident exercises can occur in different formats, levels, and scopes, ranging from small table-top exercises at the board level through to large live-play exercises involving multiple teams across different levels of the organisation. These different types of exercise will be examined in a later article in this series.
The importance of determining exercise objectives
The first question facing an organisation considering cyber incident exercising is not what type of exercise to conduct. The answer to this follows from a more fundamental question: what is the exercise intended to achieve?
There are many reasons why an organisation might run cyber incident exercises. For example, an organisation might want to test the operational effectiveness of its cyber incident response plan, and hence of its broader digital and operational resilience.
Conducting an exercise can also demonstrate the operational effectiveness of these plans to stakeholders ranging from the board, through to external stakeholders, and regulators. In some jurisdictions and sectors, exercises may also be a legal and regulatory requirement.
It is important to be specific in terms of the objective. For example, an exercise might be intended to test the operational effectiveness of the entire cyber incident response plan, or its goal might be narrower, focused on technical response capability.
Be specific - establish metrics
Organisations should consider the opportunity and investment cost involved in conducting exercises, and compare this to alternative training, testing, and assurance methods. Determining return on investment (both for internal use and for engagement with regulators and shareholders) will require metrics that can be assessed.
This underlines the importance of clearly specifying the intended goals of an exercise in advance. These goals should reflect the organisation’s specific challenges and regulatory environment, as well as its level of maturity. What good looks like will differ between organisations with different threat contexts, regulatory requirements, and levels of maturity.
At the same time as being specific on metrics, it is also important to recognise the less tangible and indirect benefits that exercising can bring. These can include building greater familiarity within and between teams, strengthening teamwork, and building trusted relationships between individuals. Measuring these changes is more difficult, but organisations should consider how to factor these benefits into their calculations.
The design of the exercise follows on from the answers to these questions about goals and metrics. As we will explore in the next article in this series, there are an array of different exercise types and designs that can be used to achieve the organisation’s desired objectives.
Learning points:
Cyber security incidents pose an enduring, serious risk to organisations.
Exercises can be a key component of a mature, holistic response to cyber security risk.
Exercises provide a simulated environment for participants to perform their actual roles and responsibilities.
Cyber incident exercises focus on the response of an organisation to a cyber incident.
Cyber incident exercises can achieve objectives ranging from demonstrating operational effectiveness, through to meeting legal and regulatory requirements.
When considering exercising, an organisation must determine what objective the exercise is intended to achieve.
Establishing metrics around the exercise objectives can demonstrate return on investment and support communications with stakeholders.
Tyburn St Raphael is experienced at delivering cyber incident exercises. Whatever your goals, Tyburn St Raphael’s seasoned cyber incident exercisers will work with you to deliver the right exercise for your organisation. You can learn more about our cyber incident exercising offering here [executive TTX] or get in touch with us at info@tyburn-str.com.
