//How to Create a Successful Tabletop Exercise

How to Create a Successful Tabletop Exercise

Tabletop exercises

Even the best-laid plans can go terribly wrong with the simple introduction of the “human factor.” Implement this in the emergency response planning, when the stakes are high, and even the most thorough plan can begin to fall apart. 

The best ways to eliminate the human factor is to test your plans during tabletop exercises. It is equally important to have a high degree of accuracy in exercising.  

Tabletops are group exercises that examine the response of your crisis team to a specific scenario and quickly detect previously undetected gaps in your plan or issues that need to be addressed. Such exercises also work as a reminder of small yet crucial details, for example, whose responsibility it is to provide comments to the media if the VP of Communications is on vacation. 

These are some of the essential tips for maximizing an outcome of a tabletop exercise: 

Tip

Before deciding on a scenario, define a reasonable number (3-5) of objectives. For example, if you choose to test your organizational response to an Active Shooter incident, first determine what aspects of the response you need to focus on. Then, develop a scenario that aligns with the objectives.

Choose a Realistic Threat

A successful tabletop exercise should resemble the real world as closely as possible. This means choosing threats that are viable to the organization, as well as designing a scenario that includes realistic attacker behavior. 

Examples of real-world cyber security threats include a network infrastructure breach with data exfiltration, website-hosted malware, denial-of-service (DoS) or distributed-denial-of-service (DDoS) attacks, rogue wireless access points, or something as commonplace as a lost laptop that contains sensitive data or passwords. 

The type of threat chosen for a tabletop exercise will vary by industry and from one organization to another, but it’s essential that it mimics a threat that’s likely for that specific environment.  

During the Exercise: Have Clear Objectives and Follow the Schedule 

Make copies of your emergency response and business continuity plans and a whiteboard to track the progress. Before you begin, the moderator needs to review the objectives and scope of the exercise. Note that the crisis leader has the final say if there are conflicting opinions. It’s also important to keep track of time; the moderator needs to set time limits for each action item.   

Once the imaginary threat has been set into motion, each member of the group should perform – in real time – the actions they would take were that threat actually playing out. These will be based on the organization’s security plan that should be already in place. 

These actions include sending specific organizations to talk to the press, communicating to employees within the organization, and notifying clients and third-parties. They also include making decisions about whether to shut down systems, as well as collecting information and utilizing forensic software to identify the type of threat at play before working to remediate it. 

After the exercise is complete, review the process to understand what worked and what needs improvement. The rules of any successful meeting or a tabletop are to start on time, finish early and to offer refreshments. 

Tip

To improve the effectiveness of a tabletop exercise, FEMA recommends for all potential players to complete Incident Command System 100 and National Incident Management Systems 700A-level training, which is a quick, easy and free course. 

After the Exercise: Act on What Was Learned 

In addition to allowing the entire team to practice their response in real-time, the value in tabletop exercises is that they can help identify weaknesses and gaps in an organization’s response. Confusion about responsibilities, poor decisions, identifying new vulnerabilities, and finding weak points in the processes don’t indicate failure; rather, these are precisely what tabletop exercises are designed to weed out. 

After each exercise, it’s essential for the team to debrief and discuss any shortcomings in the response. They should also document what worked as well as what didn’t so the organization can identify vulnerabilities and missing links and work to patch and fill them. These recommendations will not only help the next exercise run more smoothly; they’ll ensure a more effective response when an actual threat strikes. 

Make sure action items are circulated after the exercise is complete and review and update your plans accordingly. 

Download our comprehensive Hurricane Tabletop Exercise Template

Start Testing
2019-06-05T08:34:07-07:00By |Categories: Blog|

About the Author:

Content Marketing Specialist at Agility Recovery
Impacted by the PG&E rolling blackouts in California? Check out our California Blackouts Resource Kit!DOWNLOAD KIT
+