On March 6 2019, we hosted a tabletop exercise at Sword & Shield CyberCONNECT in Portland, Oregon. Most information security practitioners have either conducted or participated in a tabletop at some point, but this one is a bit different. Rather than testing or introducing incident response, it’s about practicing Risk Management in a real-world setting.

We divided the audience up into teams of about seven participants, with a range of experience from technical engineers to executives. The goal is for each team to collaborate on their strategy and approach to the exercise, sharing experience and perspectives they might not hear in their daily work.

Setup

Each team is given a budget planning scorecard, a short background on their company, and 10 Resource Coins [RCs] as their starting budget. RCs are an abstraction intended to represent budget dollars, time, headcount, executive attention, etc.

The Budget scorecard is divided into five main categories, plus a Reserves account. The team allocates their RCs according to their agreed-upon strategies and these rules:

• Production – this represents the product lines of the company, including product design, manufacture, sales and marketing, etc. The company must have a minimum of 1 RC allocated to production.
• Insurance – in the abstract world of our exercise, you only need one policy to cover your needs. The minimum coverage costs 1 RC and would cover a loss of 2 to 5 RCs, depending on the type of claim.
  
• Operations – investment here represents incident response and support. There’s no minimum requirement. All overhead functions are assumed to be covered in a basic budget, and the decisions here are about improving – or forgoing – the business’s ability to respond to disruptions in production.
• GRC – this represents investment in compliance and policy functions. In our simulation this mostly impacts regulatory actions and related incidents. Investment here can’t prevent incidents, but it does reduce the fallout associated with regulation and compliance issues.
• Process – investment here is time, money, and energy spent on improving processes in the company. It has no impact on production, incident response, or anything else in normal operations, but it earns “Advantage Coins” to make future budget allocations more effective.
• Reserves – teams can leave some RCs unbudgeted for later use. We’ll cover why they might in the next section.

Through the Years

Each year of the scenario is run as four quarters. In each quarter, a randomly selected event occurs.

• Most frequent are News events; they may affect future events, but they don’t have an immediate impact on the company.
• Market events will impact the company this year in some way, most often by affecting Production results positively or negatively.
• Finally, Crisis events are emergency situations. More on those later.

After each event, the teams have time to make changes to their budget, but they don’t get a lot of time. Events move fast, both in real life and the simulation. Budget changes have three restrictions:

First, no budget changes are allowed during a Crisis. It’s too late to adjust and prepare, and teams have to go with what they’ve got.

Second, teams can’t move RCs out of the Insurance category, although they can add to it.

Finally, any move of RCs from one category to another incurs a 1 RC penalty from Production. The exception is moving RCs from Reserves, which skips the penalty. See? Told you there was a reason to do that.

At the end of the year, based on Market events (and some rolls of the dice), the teams make revenue based on their Production RC allocations. Money spent on Insurance goes away. Advantage Coins are allocated according to Process development investment, with the highest-investing team gaining the most.

And then we do it again… for four to five rounds, which is enough to get into a rhythm and see how strategies are playing out.

Crisis!

Crisis events fall into a few different categories, but all of them have a severity (small, medium, large, or catastrophic) and threaten Production. Based on the event scenario and a roll of the dice, the event does a certain amount of “damage” ranging from 1 to 20 RCs.

But all is not lost! GRC and Operations spending can mitigate or eliminate these losses, depending on the type of incident. A data breach, for example, is mostly affected by GRC spending, while a natural disaster is mostly affected by Operations spending. If these aren’t enough to completely eliminate the impact of the crisis, well, that’s what the teams have Insurance for… they hope. See, if they had a data breach – and didn’t have any GRC spending – the insurance company isn’t going to pay out much for that, whereas disaster coverage would be paid out in full.

And if that’s not enough to cover the loss? Well, then they have to cover the rest from their Production funds or Reserves, and if necessary take out a loan they’ll be paying off for the rest of the game.

There can be other long-term effects, too. If there’s a data breach event without enough GRC spending, for example, the company is going to be hit with a regulatory fine and have mandated spending in GRC for the rest of the game.

And the Winner Is…

Who wins? Well, you might choose to have a prize for the highest-performing company, but it’s worth debating what that means.

Does a company “win” for gambling on Production spending and hoping there’s no crisis event? For suffering the least damages? Or, is the real prize the fresh perspective gained from going through this type of exercise and having the chance to look at the big picture?

The exercise allows people to experience strategy decisions as a whole-company, long-term thing. To see the environment in which a company might operate, have to make risk management decisions with imperfect data and inadequate resources, and watch how those decisions play out in time.