×

Cyber war game activities let companies practice their responses to a range of cyber incidents, thereby helping to improve their resilience when inevitable cyber attacks occur.

The government and military have long used war gaming exercises to practice their attack and response capabilities. Today, in light of ongoing, high-profile data breaches and mounting regulatory pressure, some private sector enterprises are using cyber war games as a way to test their ability to respond to cyber incidents.

Cyber war gaming is an interactive exercise that immerses participants in a simulated cyber attack scenario, such as a data breach, website defacement, denial of service attack, or the discovery of sophisticated malware on a corporate network. In the last 18 months, a variety of companies in several sectors, including financial services, energy, and health care, have staged industry-specific cyber war gaming exercises to rehearse their response to coordinated attacks.

Cyber war games differ from traditional assessments of organizations’ cyber threat preparedness in a number of ways, according to Daniel Soo, a principal with Deloitte & Touche LLP’s Cyber Risk Services practice. Whereas traditional cyber threat preparedness assessments focus on evaluating technology controls and the completeness of incident response plans, says Soo, cyber war games bring the experience of responding to a cyber attack to life. In so doing, he adds, they give participants the opportunity to practice their responses in a safe, controlled environment, and they help organizations assess the effectiveness of their cross-departmental coordination and communication. Cyber war games also bring to light unexpected decisions companies may face, such as whether to shut down part of the corporate network, in addition to escalation paths for making those decisions.

“Using cyber war games, organizations that feel unprepared to deal with cyber incidents can develop their response capabilities in a very targeted way,” says Soo.

How Cyber War Games Work

In many situations, organizations wishing to objectively assess their response capability will engage an external third party to design, facilitate, and run the war game on their behalf. The third party develops a war game scenario based on the threats facing the organization and its industry, and the organization’s objectives for the exercise. According to Soo, an organization’s objectives may include a need to define and clarify the roles and responsibilities of cyber responders, improve communication among them, understand decision-making authority, or highlight interactions with third-party business partners. The war game facilitator develops scenarios designed to tease out those objectives.

The sophistication of cyber war games can vary from relatively simple “table top” exercises to full-blown, dynamic simulations. In a table top activity, facilitators brief participants from different business functions on the attack scenario; participants then go about exercising the company’s incident response plan, according to Soo.

Simulations are structured differently. Participants typically don’t know when the “attack” will occur or what form it will take. Instead, they have to piece together clues they receive from facilitators indicating something is amiss. Those clues could be applications that are running slowly, timing out, or otherwise improperly functioning. “Participants must be able to identify potential cyber incidents, then invoke their response plans,” says Soo.

Additional Benefits

While cyber war games take time and resources to plan and execute, many organizations that conduct them say they’re well worth the effort, according to Soo. “They bring together, in a meaningful and focused way, disparate stakeholders who may not be accustomed to collaborating,” he says. “These exercises allow stakeholders to get to know one another, and the relationships they build during a simulation often helps to smooth an organization’s response to actual cyber incidents.”

Cyber war games also help to identify potential gaps in an organization’s preparedness and response plans. For example, participants from one organization executing a war game centered on a financial fraud scenario decided to temporarily halt high-value banking transactions in order to contain the damage from the attack, only to find out they didn’t have the technical capability to limit those transactions, according to Soo. Suffice to say, a takeaway from the war gaming exercise was to build the technical capability to do so.

Another benefit of cyber war games: They may prevent participants from getting mired in minutiae and organizational politics. Soo notes that during traditional cyber threat preparedness assessments, meeting participants may begin criticizing the cyber response plan, saying, for example, it should have been written by someone in risk or crisis management as opposed to IT security. By contrast, cyber war games focus participants on responding to an incident. Once they’ve completed the simulation, notes Soo, they can document gaps in preparedness and improvement areas, or debate which function should own the incident response plan.

“After a cyber war gaming exercise, participants often say the experience was fun,” observes Soo. “What better way to engage senior leaders in addressing cyber risk issues than through a focused activity that’s not only effective, but is also fun?”