Incident Response Tabletop Exercises for Beginners

Written by

As the cost of breaches of electronically stored information continue to afflict companies, the need to be prepared for a potential cybersecurity incident is more important than ever.  This is especially true from a financial perspective.

A 2014 study sponsored by IBM found that the average cost of a data breach was $3.5 million. A 15% increase over the previous year 1. Even though many companies draft incident response plans, some are forgotten once then are written.  The 2014 State of Risk Report commissioned by Trustwave, found that 21% of companies either do not have an incident response plan in place or test them if they do 2. Like any other process or procedure, an incident response plan should be a living document that is periodically tested and revised to meet current needs.

One effective way to maintain the plan is through tabletop exercises.  There are many resources available on developing and executing incident response exercises. However, unless someone is experienced with them, they may experience some potential pitfalls.

What is a tabletop exercise?

A tabletop exercise is a simulated real-world situation lead by a facilitator, where you can interact to events as they unfold in a classroom setting. Typically, the participants represent key areas that would be affected by an incident. 


There are multiple benefits of an incident response exercise. These include:

  • Provides a way to test the plan

How do you know if your plan will work?  A documented plan that has not been tested, may not work properly despite how good it looks on paper.  Additionally, the pace of the exercise can be controlled, allowing for questions and analysis of the plan's effectiveness.

  • Identify Gaps

Testing the plan will help to find areas of improvement that are better identified before a real incident occurs.

  • Determine interoperability

Plans can involve multiple areas of an organization and some of them may not typically work together.  Testing the plan can help participants to understand their roles and how different areas interrelate during a crisis. 


Before building the incident response exercise, there are a few prerequisites.  First, you need to have a plan in place.  No plan, nothing to test.  Second, it needs to be well documented.  The half a page of bulleted "to-do" items will not suffice as a plan.  NIST Special Publication 800-61 is a good resource for developing a plan3. Third, a well versed/well trained incident handler is important to the success of the effort since they will be facilitating the exercise.


Another important element to the success of the exercise is the participants.  Since the exercise scenarios can vary, the participants can vary as well.  However, there are certain core participants that would generally be included in most, if not all exercises.

Potential areas involved:

  • Public Relations
  • Legal
  • HR
  • Information Security
  • Physical Security
  • Business Continuity

Developing the scenario

There are multiple factors to consider when developing the exercise scenario. 

  • Straightforward and easy to understand

When developing the story line, consider scope, objectives and type of incident.  A story line that is technical or too convoluted will be hard for some participants to follow and they may lose interest.  The facilitator needs to be able to control the information flow and keep everyone on track.  Therefore, the fewer moving parts in the storyline, the smoother things will go. Examples include: lost laptop with personally identifiable information or a server infected with malware.  

  • What privacy laws may be affected

Many industries are regulated by some government body.  By taking this into account, the exercise can be more interesting and relevant.

  • Determine target audience (legal/compliance or more technical)

There is no one exercise scenario that can reach everyone.  The best course of action is to pick your target audience and develop the scenario to fit those participants.  Remember, maintaining an incident response plan is a process, so more than one exercise can be conducted with different areas.

Facilitating the exercise

Ideally, all of your participants should be in the same location.  As information and exhibits are presented, visually observing them improves the quality of the experience.   All of the participants should also have a copy of the cybersecurity incident response plan to review as the exercise is executed.  If any affected areas have their own procedures that they follow in an incident, those should be available as well.

It is important that you establish ground rules before the exercise begins.  These can include:  emphasis on "no Fault" answers; reminding your participants that goal is to test the plan and aspects of the exercise may not go smoothly, which is to be expected;  and even though the exercise strives to be as realistic as possible, you should not get hung up on the technicalities. 

It is difficult to keep the attention of a group of people for extended periods of time. Perhaps, keeping the exercise to 2.5 to 3 hours with a 15 break in the middle would be best.   This provides the participants to get reenergized for the second half of the exercise.  After all, you want people to show up to the next one.

Finally, develop a timeline for the exercise.  If the exercise is three hours, figure 10-15 minutes of participant introductions and discussion of housekeeping items.  If you have five messages that will be presented to the group, then space them out approximately 30 minutes each with an additional 15 minutes at the end to wrap up.  This will avoid the group spending too much time on each message.


Send a survey to the participants.  Few plans are executed perfectly and this would be no exception.  It is important that you gather feedback on the exercise so areas of improvement can be addressed for the future as well as understand what worked well. 

[1] Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis

[2] 2014 State of Risk Report

[3] Computer Security Incident Handling Guide

About the Author

Joe Malec currently works in the financial services industry and has over 20 years of experience in information technology. He has been involved in leading security projects, managing incidents, and performing internal and external risk assessments.

What’s hot on Infosecurity Magazine?