Factors to Consider When Planning Cyber Table Top Exercises

Factors to Consider When Planning Cyber Table Top Exercises

A cyber breach Table Top eXercise (TTX) is an excellent way to exercise your incident response preparedness. Waiting until an incident occurs is not the best time to put your incident response plan to the test! We have seen this happen on many occasions.

By Tom Williams

Investigative Consultant

04 Oct 2017


Even if you are not yet at the stage where you have a fully developed incident response plan, a TTX can still help you obtain the clarity and focus required to develop one. Indeed, it can help prioritise areas for wider improvement so that your organisation is in the strongest position it can be when an incident does occur.

So, if your organisation is considering a cyber breach exercise; what factors will help ensure that you get as much value from it as possible? From our extensive experience in delivering these sessions, for a variety of clients across multiple sectors, this blog covers some essential tips.

Have the scope and objectives defined

Before you start planning your exercise, ensure that you have liaised with internal stakeholders and outlined the scope and objectives for the session. Having this agreed up-front is essential in ensuring that you get the most from the exercise. What are you going to be testing? Communications, legal or policy issues, your incident response plan? It may be all of these things.

Defining the scope and objectives is critical in understanding which personnel need to be in attendance, especially if your key stakeholders or incident response team sit across multiple departments and locations.

One benefit of running an exercise like this, especially for those new to this and who maybe do not have a defined incident management team, is that you often realise (during or after the exercise) that the attendee list needs to be refined. If you are running your first exercise, my advice would be to keep the participant list to a core group (5-10 maximum). If required, other attendees can always get involved via video/telephone conference. Keeping large numbers of attendees involved and engaged in a basic exercise is difficult, for more complex exercises the attendee list may be longer.

Consider the blend of participants. At Context, we run our sessions along the Gold (Strategic) / Silver (Tactical)/ Bronze (Operational) command structure created by the Metropolitan Police. Organising participants into these functional groups provides clarity around ownership of decision making, and allows for strategic direction to be more effectively translated into operational level tasks.

If you took the same scenario and posed it to each of these levels, it would raise very different issues and decisions for each grouping. Therefore, selecting the correct blend of participants between these groups to participate in the exercise relates directly to the core objectives of the exercise and what is being tested.

Finally, having a defined scope from the start allows you to suitably measure during the wash-up how successful the session has been and what improvements can be made.

Appoint a suitable facilitator

The importance of this is often overlooked. A good facilitator will keep the scenario on track, coach and assist participants with their responses while keeping them focused. The selected individual needs to be able to create an environment in which people feel comfortable enough to contribute. Some of the best contributions I've observed when running table top exercises have come from individuals with very different perspectives on the topics being discussed. It should be an open and non-threatening environment. Using a third party as a facilitator can be useful for impartial marshalling of the scenario; it can also provide a different perspective which can be extremely useful in the wash-up.

Pitch it at the right level

Your current level of security maturity will be a key factor when determining what type of exercise is right for your organisation. If this is your first time running a cyber breach table top exercise, do not over complicate it. Ensure that the scenario runs logically and that you keep the number of scenario updates (injects) to no more than five; this will give you enough material for a session of around two hours.

If you have run exercises of this type before, you may want to create a more advanced exercise for participants. You may decide to split the participants up into their core functional groups and provide them the same core thread for the scenario. However, you can then drop in additional information that continues to build the scenario but restrict this to specific groups only. This puts the onus on each group to decide whether supplementary information received is relevant and whether they should share it with their colleagues. This style of exercise works well when testing information flows between departments and the practicality of executing an incident response plan.

This type of exercise works well over a period of between three hours to half a day. It will require more planning and choreography to be undertaken by the facilitators, but the results can pay dividends. 

To take your table top exercise to the next level, you could look to include more functional elements, for example role-plays and specific activities. Get participants involved in preparing briefings for senior members of staff, crafting press lines or partaking in role-plays such as mock press interviews.

If you are mixing technical and non-technical staff, you could also consider running a more technical exercise separate to the main scenario that feeds back into it in some way. There are lots of options; be creative.

Scenario development

When developing scenarios for your exercise, it is important to ensure that it is relevant and specifically linked to a business objective or impact. A consultative approach should be adopted when developing a suitable scenario and again, creativity is important. You could seek to utilise information from previous incidents (either internal or external), conduct open source research or engage a threat intelligence provider to develop a scenario collaboratively.

You may seek to use a top-down approach to scenario development if more senior members of staff make up the majority of the attendee list. In this instance, you would seek to identify a scenario that would negatively impact a business goal, as determined by senior management. Directly relating a scenario to business goals can help to engage more senior audience members and get their buy-in.

A bottom-up approach to scenario development may be better suited to a more technical/tactical TTX. This is particularly useful if you are testing incident management processes and procedures relating to specific systems or services. Start the process with some quite generic risk scenarios linked to a business objective. Then work alongside business functions with specific knowledge of the systems or services being tested to create more bespoke and complex scenarios; incorporating coinciding events. This kind of scenario would not function well when seeking to engage senior management, as they may lose interest in highly specialised technical scenarios.  
When the scenario is developed, you could also consider making the delivery content more engaging by including screenshots of mock-up defacements, news headlines or media interviews. This option is for more advanced exercises where resources and budget are not an issue!

Plan way in advance

Even just coordinating diaries for this many people, particularly if more senior, can require months of advanced notice. Planning your scenario, familiarising yourself with the content and producing facilitator materials can take a long time; especially if you are planning this alongside your other day-to-day responsibilities. Consider utilising a third-party to deliver the exercise or get involved in the planning. Using an independent contributor can be useful for impartial marshalling of the scenario; it can also provide a different perspective which can be extremely helpful in the wash-up.


Having a wash-up directly after the exercise, a post-exercise report, or ideally both are a vital part of getting value from this process. These exercises can soak up a lot of time for both the facilitators and participants. Therefore, having a tangible deliverable in the form of a record, including feedback from the exercise can be valuable in understanding where your organisation's strengths and weaknesses are. Also, feedback on how the exercise worked for the participants is also instrumental in improving and developing future exercises.

If you have a question for us or require any further information, please get in touch.

Contact Us

About Tom Williams

Investigative Consultant

CHECK IT Health Check Service
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor