Why WARGAMES?
Wargames—sometimes called decision games—are a time-tested means to evaluate your plans. Whether we’re talking miniatures skirmish games, script read-throughs, model UN, or the military decision-making process, decision games provide us way to assess goals in conflict without the cost of defeat.
If we’re going to practice cybersecurity, our goals are in conflict. Wargames give us a no-cost (or at worst, very low cost) way to determine if we are prepared, what we overlooked, what resources are missing, etc.
Plus, they’re fun!
I recently had the pleasure of traveling to the International Conference of Computing in Missions – Europe, where I delivered an eight-hour workshop on building cybersecurity programs. Basically, a dump of the core tradecraft I use when serving as a virtual chief information security officer.
At the end of the class, we spent two hours doing table-top exercises—wargames—with the class of about 25 attendees. The game not only served as a fun way to end a long day, but also as a means to:
Drive home the importance of incident response. Have you planned and prepared for emergencies?
Highlight the multi-stakeholder nature of cybersecurity. Sure, the IT and cyber staffs may *want* to pull the plug on a compromised system, but what does that mean for the business/organization and the customers—or even the computers?
Teach an evidence-driven approach to analyzing and responding to situations. That hypothesis sounds realistic, but where do you get the data to prove that’s what is happening?
Teach teams to listen and share expertise between exercise attendees. Is there something a new professional sees because he’s fresh out of school or something the old hat sees because she’s been in the trenches before?
They’re also a great way to exhaust your remaining brain power quickly!
If you set your goals and outcomes in advance, wargames can be as simple as sitting around a table talking through actions and taking notes—something our teams can all afford to do a couple times before we bother hiring a facilitator. The goals are normally to evaluate readiness or a specific plan, but you may not yet have a plan.
At risk of sounding like I’m describing a magic bullet, wargames can also help you build a plan. Even if you have a small team—or even if you’re flying solo!—challenge yourself with a small problem like, “a user in marketing had their username and password stolen!” What do you do?
The odds are, that your team already has an idea of what they’d do to respond. It just hasn’t been written down yet. At this point, the goal of the wargame is to capture the knowledge floating in each professional’s head so that the team can use it like a pre-surgery checklist in a real emergency.
Take turns talking through what each person would do in response to the problem. Make *everyone* talk when it’s their turn (introverts can conceal a wealth of knowledge).
Have a note taker write down the steps taken in response, whether right or wrong, in sequence.
After the game, ask which “steps taken” were effective and what resources were needed or missing. Keep taking notes.
Boil the list of steps taken down until it’s a simple checklist with broad steps (you can always add more details later).
Take action to start fixing resource gaps where you’re able to.
Wargaming is a flexible tool that doesn’t have to be expensive nor complicated. Hopefully this helps you figure out a few ways you can plug exercises into security, crisis response, and risk management processes!