Cyber Wargaming: strategic decision making for effective cyber crisis management

As the number of organisations falling victim to cyber attacks increases, so does the acknowledgment that responding to a cyber crisis requires making difficult decisions. Any organisation relying on online operations is vulnerable to attack - either because they are targeted or they are collateral damage. PwC’s Global Crisis Survey 2019 showed senior executives list cybercrime amongst the most disruptive crises.

Disruptive cyber crises (e.g. the LockerGoga cyber attack) cause widespread financial, operational and reputational damage. As a result, data privacy and financial services regulators are taking direct action. Evidence of this is the Information Commissioner's Office recent notice of intent to fine a household name £183 million in connection with a cyber security failure leading to a personal data breach. Coupled with this there is a growing claims culture in the UK following a cyber attack. It is clear that a cyber crisis can have very significant consequences for any organisation.

How can organisations prepare?

Cyber crises require quick decision making under pressure where there is high uncertainty and many unknowns. Given the implications of a cyber attack prompt a series of business decisions with legal, financial, regulatory, reputational and operational consequences, they require a multidisciplinary response well beyond the IT team.

Increasingly, businesses recognise the importance of being ready to respond to a cyber incident. Preparedness activities including discussion based desktop and ‘live’ simulation exercises are effective tools to validate plans and processes. They also enhance individual skills, awareness and synergy of response teams. However, Cyber Wargaming offers a unique approach to exploring decision making in a cyber crisis.

What is Cyber Wargaming?

Wargames were originally developed to test military action plans. Their focus is on ‘action-reaction’ assumptions on how the ‘enemy’ will respond to different decisions. In cyber security, wargames are cross functional exercises where two or more teams are prompted to make strategic decisions focussing on the “what if”. As such, corporate Cyber Wargames are invaluable in testing potential response strategies and undertaking scenario planning.

Facilitated cyber simulation exercises and wargames are similar as there is an element of replicating the “outside world” in real time. However, the key difference is that simulations focus on specific objectives (i.e. rehearsing the communication processes between different teams) while wargames focus on the strategic decisions made by senior executives. They enable teams to explore and understand what reactions their decisions will trigger across stakeholder groups, including customers, competitors, the media, regulators, employees - and the cyber attackers themselves. Thus, anticipating how these various players will react to specific actions and why they act the way that they do is at the core of a wargame.

Each wargame can be adapted to meet an organisation’s needs. Yet, the standard structure consists of a ‘blue team’, the exercising side, whose strategies and decisions are constructively challenged by a 'red team', representing external stakeholders.

Wargames are run across different stages: the blue team is presented with information, triggering the need to make challenging, or "wicked", decisions for which the stakes are high. For example, if the wargame scenario is centred on a data breach, decision makers will not only decide when and how they would notify regulators and customers, but they will also see the reaction to that decision and the consequences of it. This way, cyber wargames are aimed at helping organisations ‘play out’ their crisis strategy.

The value of a multidisciplinary approach to crisis preparation

To make wargaming valuable, the facilitators must be crisis specialists who can design a realistic and challenging scenario but also provide external stakeholder challenge and perspective. Involving a range of subject matter experts (SMEs) is key not only to ensure the scenario fits the organisation’s risk profile, but also to highlight specific issues. The ‘red team’ should include SMEs who are able to represent the views of the Media, Chief Security Information Officer (CISO), Regulator, Legal, Shareholders and Competitors. These SMEs need to be able to challenge the decisions of the ‘blue’ team while providing the ‘external perspective’.

Why Cyber Wargaming?

The ability to rehearse different outcomes of decision making enables teams to see beyond the immediate crisis and to understand the longer term consequences of their decision making. This includes how they would defend those decisions to the media, shareholders and regulators, should they need to do so at a later date. For this reason, wargames are amongst the most effective tools for senior leaders to gain confidence in decision making, challenge assumptions and become better prepared to face a cyber crisis.