CLICK HERE TO DOWNLOAD THIS IMAGE & COLOR IT IN!Overwhelm. Lack of engagement. Limited resources. Irrelevant examples.
Yikes.
These are all possible reasons why most IR training and cybersecurity tabletop exercises fail to engage stakeholders and business owners—and unfortunately, every single one of those can spell doom for your bottom line.
The solution? A guide that walks you through IR and cybersecurity training tools that foster actual decision-making and engagement. And that’s exactly what our experts have put together.
Read on to learn more about how to run your best TTX yet, and how to turn findings into profitable takeaways for yourself and your client.
Don’t worry. We’ll spare you the Star Wars reference. Instead, let’s take a walk through memory lane and get a healthy dose of nostalgia to inspire our TTX worldbuilding process.
If you're a certain age, you may have seen the cartoon Where in the World is Carmen Sandiego?
If you remember the name, close your eyes and picture the character. Trust us. Then, come back to this blog. If you don’t know what we’re talking about, do a quick Google search and catch up on one of the coolest cartoons of all time.
TL;DR: One of the main draws of that show and the character in general is the worldbuilding and lore surrounding the character.
She is memorable and distinct.
She is a villain with complexity.
She sports an unmistakable red coat and fedora.
She engages the audience to a point that they don't realize they are learning something.
And that’s exactly what IR training specialists need to do with their cybersecurity training sessions. You need to build and make the people believe in what you’re testing and telling. Otherwise: what’s the point?
“When I’m creating cybersecurity tabletop exercises,” states Sean Todd, CISO at Auditive, “I think about how I can recreate that immersion, that depth of emotion and personality like we see with Carmen Sandiego, and most importantly the buy-in the audience has for the character. Those are critical to making sure that your audience wants to learn and wants to participate.”
As the IR training consultant and “moderator,” of the TTX, it’s your responsibility to ensure your stakeholders understand the world you are asking your audience to believe in during a cybersecurity training. The first step to this process is cobbling together the basis of your story arc: Your characters, their motivations, and a thrilling, relevant plot.
The audience doesn't (and shouldn't) know all the intricate details you've cobbled together, but you will need it to understand character motivations and the plot you write.
Once you get at least one or two written completely, you can re-use the world you’ve built and grow your audience's buy-in.
You transition from an outside IR consultant to a storyteller, a truth-seeker, and an active problem-solver alongside the team.
Also, practically speaking, you’ll also spend less time in the setup phase of your training since your audience will be familiar with the setting it takes place within. So there’s high ROI involved for you, too.
All you have to do is lay the foundation, then consider each subsequent “scenario” as the next “episode” in a series that protects, defends, and secures your audience’s cyberscape.
Easy, right?
If we’re being realistic, most of your audience will have limited time to devote to your exercises. To avoid overwhelming or a lack of action due to schedule conflict, consider breaking up the activity across smaller “episodes.”
Here’s an example of how you, the IR training expert and moderator, can break up an insider threat scenario while still having a satisfying conclusion to each “episode.”
1. Start Your Series With Intrigue - This episode lays the groundwork for all others. It's your chance to describe the world in which your audience finds itself. They will also get some of the initial evidence that something has gone seriously wrong. At this point, there shouldn’t be enough info to point at a particular suspect, but there should be just enough to leave your audience on a tantalizing cliffhanger. For example: "You've found undeniable proof that trade secrets are leaving your systems, but how? Who could be behind this? Can you catch them before they catch on to the investigation?"
2. Bring Your Followers to a Revelation - In the next episode, your main job will be to help your audience discover (and consider) the possibility that there might be one or more insiders helping facilitate the exfiltration. Worldbuild and explain, giving them enough information to narrow the suspect pool down to just a few employees. (Our tip? Don’t be afraid to play devil’s advocate to help them really get into it. Go ahead, be chaotic neutral.)
3. Help Them Sort Through The Fallout - Episode three is a classic midseason plot twist. In this episode, help your team start the employee investigations and interrogations. In this episode, have them try to find incontrovertible proof of the suspects. Guide them through making sure that it isn't a false trail laid by real suspects. In the end, give them just enough information to throw suspicion on a higher-level employee (like an executive).
4. Indulge Your Players in a Complete Resolution - In the final episode, your audience will root out the insider threat network and tie it all together. Celebrate the win—and follow it up with additional IR training steps, like an engaging debrief.
If you are using an external threat actor, you need to make sure that they are believable and evolve—both in the world and throughout your exercises.
For example: You could create a world where your company is consistently targeted by an advanced criminal cyber gang. One scenario could be that they are probing your systems, the next could be them successfully ransoming some part of your data, and the final scenario could be them seeking some sort of vengeance for being caught in the first two scenarios.
(Talk about thrilling!)
Once you’ve had a chance to establish the main villain features, it’s time to pick and choose personality traits and superficial elements that make your characters real, believable, and raw. Remember that the more complete the characters are, the more consistent they will be and the more your audience will believe in them.
Much like society, your cybersecurity training needs to have a set of rules that govern how things work.
Many IR training experts and consultants have had success using a turn-based game style for their cybersecurity training exercises. If you choose to do this style of training, your participants will be given one action per round—much like a game of Dungeons and Dragons.
This game style has a ton of benefits, like making sure that one particular participant doesn't dominate to the detriment of others. It also creates a sense of urgency and resource constraints that would happen in a real response.
Nobody wants an IR training that drags on, even if they are having fun. It also enhances the realism if you add time constraints.
Here are some creative ways you can add time-based pressure to your cybersecurity training:
Now that you have a well-defined world for your exercise, it’s time to build excitement with your audience.
We recommend starting a week or two ahead of the exercise by opening up a communication channel (like you would on Slack or Teams) for your audience. You can then use that channel throughout the week or month prior to the IR training to market the event and build some buzz.
Other tools you can use both in and out of your newly minted communication channel include:
Redacted log file drops. You can use some of the fake evidence you generate for the exercise to help market it, redacting key portions of it like a murder mystery game case file.
The best board games involve some element of randomness, and your exercises should be no different. Rigid exercises hamper the ability of your team to think on their feet. To achieve this, try including some event cards—think of the Chance cards in the game Monopoly—to add some twists and turns to your exercise.
Here are a few ideas to get you started:
Make sure that when you create these cards, you include a balance of good and bad so your participants will want to use the cards.
Just as a generation of children learned geography by watching Carmen Sandiego, you can master incident response to inspire your organization to learn all about information security threats and responses. All you have to do is use your imagination, create a miniature “world”, and lessen some of the setup time using modern tools like GenAI. It’s never been easier to optimize your exercise.
Looking for extra help? We’ve got just the Ally for you. Asa, powered by Ally, is your friendly scribe who’ll join, listen, and create your customizable TTX report in mere minutes, taking on the admin tasks so you can do what you do best—fight the dragons and protect the jewels. Experience the difference for yourself (for free!) today.
About Ally Security
Ally is here to support facilitators, which in turn creates a virtuous cycle where exercises take less time, provide more value, are run more frequently, and can make every organization can be better prepared.
The unexpected wins. The client curveballs. The chaos you couldn’t have scripted if you tried. Dear Asa is your space to share the stories that don’t make it into the official post-incident report. Script, submit, and enjoy a chance to be featured or quoted in an upcoming post.
