How to Plan, Conduct, and Manage Tabletop Exercises?

How to plan, conduct, and manage tabletop exercises?

A successful cyberattack impacts business operations, reputation, customer trust, and profitability. In the cyberspace, threats are evolving continuously, and tactics, techniques, and procedures (TTPs) employed by the attackers are getting sophisticated than ever. If an organization does not respond to a cybersecurity incident, there are good chances that it would either wind up or take years to get back on its feet.  

Ideally, organizations should plan for their business continuity, and cybersecurity is one set of risks that the top management cannot ignore. A Gartner report found that only 37% of organizations have a documented cyber incident response plan. While we continue to help organizations in setting up their incident response programs, it is equally essential to check its efficiency and improve it using the plan-do-check-act (PDCA) cycle. 


Our Tabletop Exercises are individually tailored to meet the specific data protection needs of each client. LIFARS experts identify and interview essential personnel to understand your company’s distinct capabilities and existing contingency plans, then use this information to formulate a custom data-breach scenario based on our real-world experience. 


What is a tabletop exercise? 

From our experience of working with organizations in mitigating cybersecurity incidents, effective incident response is not rocket science. However, it requires proper planning, documentation, and exercising. As a result, organizations can recover from a security incident before it affects their business on a large scale. Conducting a tabletop exercise is one such activity that seeks to validate an organization’s existing incident response plan. It involves a simulated scenario that would have large scale impact if it happened in real life. 

The participants of a tabletop exercise are either C-level executives or the internal security team. A tabletop exercise focusing on top management personnel analyzes an organization’s crisis management capabilities from an executive perspective. A tabletop exercise involving an organization’s internal security team examines its ability to detect, contain, and respond to a security incident. Some of the most important benefits of conducting tabletop exercises are: 

  1. Helps organization in finding loopholes in its incident response strategy. 
  2. A cost-effective solution as it does not disrupt or damage any system or its component. 
  3. Assists in removing communication obstacles so that swift decision-making is possible during an incident. 
  4. Enables participants to understand their roles and responsibilities and how they should coordinate with other participants. 
  5. Minimizes the scope for disputes, so that response to an incident does not get delayed. 

Plan, conduct, and manage a tabletop exercise: Best practices 

For a tabletop exercise to be successful and contribute to your organization’s crisis management, it must simulate a real-life crisis scenario. Participants of a tabletop exercise should be convinced the chaos is inevitable and they must act. An inefficient tabletop exercise is nothing but time waste for C-level executives or an incident response team. To get it right, our experts suggest the following best practices: 

List the objectives of a tabletop exercise

The first step before starting with a tabletop exercise is to identify its objectives. Having a clear-stated set of objectives will help in designing the exercise around them. For example, if an organization has recently set up an incident response team, one of the objectives can be the identification of loopholes in the team’s decision-making process. Put plainly; objectives will help in designing a crisis that is most likely to occur. 

Understand the audience

What will happen if you provide a technical scenario to the C-level executives? The tabletop exercise will fail. The objectives of a tabletop exercise decide its target audience. Is there a list of individuals participating in a tabletop exercise? If not, is it possible to create such a list? At this point, it is also sensible to consider whether a tabletop exercise will include external participants. Our incident response experts often take part in our clients’ tabletop exercises as external participants. 

Prepare a brief outline of the scenario

After documenting objectives and audience, it is time to prepare a brief outline of the simulated chaos. The outline should cover an initial story, a middle part, and a potential conclusion. This outline must help you in achieving the objectives as decided earlier. Before all participants gather or on the same day, the scenario should be communicated to them. Instead of handing out documents, we have found that videos are significantly better in capturing the participants’ attention. 

Add realistic elements to the scenario outline

A tabletop exercise involving superficial elements which are unlikely to occur is a fruitless exercise. Incorporate specific details into the scenario outline to make it realistic. If needed, a subject-matter expert can assist in drafting the scenario thoroughly. Real nature of scenario and relevancy are two critical factors in keeping the audience engaged throughout. 

Ensure the availability of logistics
  • Sending invitations to the participants 
  • Making room bookings for the exercise 
  • Availability of IT systems in the booked room 
  • Virtual participation considerations if any 
  • We recommend testing the specifics a day before the tabletop exercise as many exercises often get delayed due to a lack of preparation. 
Manage the agenda and drive the discussion

A tabletop exercise is more likely to be successful if it moves along the fixed schedule. The schedule should factor in various types of activities such as bathroom breaks, coffee, meals, etc. It should also cover the time taken to move from one room to another. Unanticipated time delays pose a threat to the exercise’s success. The scenario in a tabletop exercise is time-sensitive, and delays are not favorable for participants. Our experts consider it a good idea to explain the agenda before an exercise starts. This helps in ensuring that all the participants stick to the schedule, and there is a negligible delay. 

Prepare the After Action Report (AAR)

Usually, a tabletop exercise concludes with a conclusive discussion of the scenario and possible areas of improvement. This discussion lays down the foundation for the After Action Report (AAR). AAR is a constructive report, and it generally gets prepared and shared with the participants within one to two weeks. It identifies the right and wrong actions during the exercise and provides actionable recommendations. The participants should adopt these recommendations for improvising incident response plan as well as the team performance. An ideal AAR helps the organization in becoming resilient and crisis-ready.  

Continue building on the momentum

Incident response and crisis management require continual improvements. One isolated exercise is not sufficient for organizations to be assured that their incident response strategy is picture-perfect. An optimal strategy should undergo review at regular intervals for checking it against different scenarios and making appropriate changes. Our experts recommend a frequency of one exercise per year; however, they can be bi-annual if an organization is working in critical infrastructure. 

Ending notes 

Regular simulation of crisis scenarios is essential for continual improvement of an organization’s incident response strategy. Moreover, regulations across the globe are making it mandatory for organizations to implement an incident response plan and undertake regular reviews of the same. Irrespective of whether one wishes to fulfil compliance obligations or increase the business resiliency, checklists are no longer enough. Organizations need to move beyond their absolute reliance on checklists and adopt a dynamic incident response strategy to upgrade their defenses in line with the growing threat environment. 


Prepare for and respond to a business disruption after an aggressive cyberattack