The PlexTrac blog proposes a series of basic questions you need to answer once you’ve decided to move forward. Hopefully our description so far has brought home the reasons why an organization would conduct one. Just as important a question, however, is who will participate. This goes beyond just needing to know the emails of people to invite; the types of team members participating will shape exactly what kind of exercise you’ll have. For instance, an exercise where the participants are all members of your cybersecurity team might focus on identifying and defeating an advanced persistent threat; an exercise where participants are drawn from across the company might look at the consequences of a cyberbreach and how technical, legal, and communications departments should react to it.

Another important question to consider is when: Should you conduct tabletop exercises annually, or more frequently, to drum up vigilance among your employees? Then there’s where: The obvious location, as you’d guess from the name, is sitting around the table in a conference room, but exercises could also be conducted via videoconference for distributed teams. Finally, there’s the absolutely crucial question of how. While there’s no one right way to conduct a tabletop exercise, there are some important tips that will help you make the most of your tabletop exercises.

Planning a tabletop exercise

Jack Eisenhauer at the Nexight Group outlines a process for planning a tabletop exercise that takes many of the above questions into consideration. He breaks down the process into three phases, each of which includes three key activities. These correspond to the time before, during, and after the exercise takes place, but you’ll need to plan in advance to make sure each step comes off properly in practice.

1. Design
   • Clarify the objectives and outcomes, determining what you hope to achieve and how you’ll use the results after the exercise is over.
   • Choose your participant team, including key decision makers and perhaps even executives who can use their influence to put an after-report into action.
   • Design a scenario and exercise plan that’s believable and will prompt discussion.
2. Engage
   • Create an interactive, no-fault space, encouraging people ask questions and make mistakes.
   • Ask probing questions of the participants, following a script but being prepared to improvise.
   • Capture issues and lessons as you go using visual tools and a timeline—don’t rely on note-takers.
3. Learn
   • Prepare an after-action report that includes documentation of the exercise along with areas of potential improvement.
   • Create a specific near-term plan based on the results of the exercise.
   • Provide tools and guides to boost learning, finding resources that feed the needs revealed by the exercise’s outcome.

Tabletop exercise objectives

Let’s focus for a moment on one element here: the objectives of the exercise. To put it bluntly, what are you hoping to get out of running a tabletop exercise for your organization? It’s important to distinguish these objectives from the goals for the participants within the exercise itself. For instance, participants in a tabletop exercise might have the goal of figuring out how to restore your organization’s databases as quickly as possible in the wake of a disaster. But the overall objective of conducting the exercise is to stress-test the organization’s disaster recovery plan and see if teams know how to best work together in the face of unexpected problems.

The National Association of Regulatory Utility Commissioners, a group that knows a little bit about the necessity of being prepared for a crisis, suggests the objectives be SMART, by which they mean:

1. Specific—addressing concrete questions and specifying action items
2. Measurable—establishing metrics for success up front
3. Achievable by the participants in the time allotted
4. Relevant to the mission of the organization
5. Time-bound within a reasonable timeframe established in advance

Leading a tabletop exercise

There are plenty of consultants who will be happy to lead a tabletop exercise at your organization; however, due to these exercises’ informal nature, more often than not they’re led by internal staff, and you almost certainly have someone who would do a fine job of leading a tabletop exercise using a guide and some solid examples.