Checklist for Planning &

Conducting a Cyber Crisis

Tabletop Exercise (CCTE)
Welcome
Congratulations on choosing to download and read this Cyber Tabletop Exercise
Template Document. You have just taken your first step towards enhanced cyber
resilience.

This document contains a Cyber Tabletop Exercise Template created by the deeply
experienced cybersecurity experts at Cyber Management Alliance. It contains
valuable guidance on how to conduct a successful and meaningful Cyber Tabletop
Exercise in your organisation.

You could view this document as a step-by-step guide for hosting your own
Cyber Tabletop Exercise. If you need help in building a scenario for your Tabletop
Exercise, use our FREE Top 30 Cyber Tabletop Exercise Scenarios Document.

Good luck!

2
Determine the Type of Exercise

This is probably the most important first step. You need to decide the type of
exercise you want to conduct and the type of participants.

We label these as:

● E xecutive Cyber Crisis Awareness Sessions (or ECAS)

A session focused on senior executives and/or the board. This is
conducted more as an awareness session with a hint of one or two micro
scenarios.

● E xecutive Cyber Crisis Tabletop Exercise (CCTE)

The audience here also comprises senior executives but as the title
suggests, this session is run more as a proper tabletop exercise. The
audience is asked about how they would respond to the scenario
presented to them and the answers are discussed amongst the
participants. The focus of this session is bolstering executive decision-
making during an attack and enhancing overall cybersecurity leadership.

●  perational Cyber Crisis Tabletop Exercise (CCTE)

O
This tabletop exercise is geared towards the operational management
layer - those who are responsible for the operations running smoothly
and for returning operations back to normal when disrupted. This
audience is often subject to more detailed questions, and they are also
expected to answer the questions more diligently. Furthermore, we also
use our interactive platform so that each attendee can type in their
answers for a more detailed post-exercise review.

● T echnical Cyber Crisis Tabletop Exercise (CCTE)

As it says on the tin, this tabletop session is designed and produced for
a purely technical audience. The sessions usually last longer (3–4 hours)
and are not discussion-based sessions. Rather, the technical tabletop
Continued...

3
Determine the Type of Exercise (cont)

session often puts the audience in an actual cyber-attack setting to

evaluate their technical skills and knowledge, including their familiarity
with the technical controls and technology tools becomes apparent.

Please note: In our opinion all identified participants should stay for the
whole session even if they may play a small role in the tabletop session.

Onsite or Remote?
Based on our experience of conducting hundreds of tabletop sessions
we strongly recommend that you go all in on either onsite or all in on
remote sessions.

4
Let’s get down to the checklist!
Type, Participants & Location
● Ensure you have management sponsorship.
● If possible, get this in writing/communicated officially.

● Agree on the type of tabletop session.

● Write down and get formal approval of the objectives.

● Identify all the participants for the session.

● For technical sessions, endeavour to invite all key specialists.
● F or operations (subject to organisational charts), invite legal +
communications teams where possible.

● Inform participants that they have been selected.

● Share the objectives with them and ask for feedback.
● They must inform you if they cannot attend the session.
● T hey must put forward another person (preferably from their team or
from a similar role) if the above is true.

● Observers:
● E nsure you have at least one observer who knows the participants and
the organisational context.
● Ensure that they know their responsibilities.
● Ensure that they understand the technologies/systems/assets.
● Create an Observer’s Guide.
● Sign an additional Confidentiality agreement if necessary.

5
Scheduling & Documentation

●  ork backwards: As part of your first few actions, send out at least two
W
preferred dates 6 – 8 weeks ahead of the date you start working with the
external consultancy.
●  ive back time: Add at least a 30-minute buffer to the total time
G
(it’s always better to give time back than to overrun).
●  ommunicate with the participants regularly to remind them of the
C
upcoming tabletop exercise.
● Documents to create + share:
●  rovide them with the Terms of Reference at least 2 weeks before the
P
tabletop session.
●  rovide them with a Participant’s Guide at least 2 weeks before the
P
exercise.
● S end everyone calendar invites with clear instructions on joining and
necessary information.
● S ettle and communicate the FINAL number of invited participants to
the group.
● After the exercise, finalise the names of and total number of NO-SHOWS.

6
Planning

● Agree on the critical asset(s) you are going to target in this exercise.
● Ideally don’t have more than 2 critical assets.
● Consult with your BIA document for confirmation.
● Consider a critical third party if necessary.
● F or the selected asset, ensure you understand the full impact on the
business (refer to BIA).

● Story + Details
● If conducting a CCTE for executives, be creative and create a backstory.
● For executives, think about adding threat actors.
● For technical audiences, focus on the deep + technical details.
● F or operational management, focus on the details and on business
continuity.
●  reate simple-to-understand attack workflows to show at the end of
C
the tabletop session.
● Use existing geo-political news to build your story.
● Create injects that the audience may not expect.
● Review any past incidents/attacks to build your existing scenario.
● Ensure your slides aren’t too ‘busy’.
● Use images and only a few words where possible.
● If there is a BIG cyber-attack around the time of the exercise
– mention it during the introduction or towards the end.

Continued...

7
Planning (cont)

● Questions + Answers
● Focus on the questions you want the audience to answer.
●  e clear with the participants on the type of answers you are
B
looking for:
● Detailed + typed.
● Discussion/focused answers.
●  hen writing technical questions, ensure the questions are technology
W
specific (Example: A firewall related question should ideally be focused
on the vendor product you are using. This is not mandatory).

Dry Run
● Conduct at least 2 dry-run sessions with the observer(s).
● Review the questions in detail (get sample answers if possible).
● Be aware of how long the session will last.
● Try to map the questions to the participants.

During the Session

● Ensure strict time-keeping.
●  pologise about interrupting participants in advance
A
(for time keeping purposes).
● Ensure someone is taking notes (observer).
● Try to address each attendee by name.
● Don’t read the slide word-for-word.
● If the session is long, ensure you take appropriate coffee and comfort
breaks.

8
After the Session

●  t the end of the tabletop, thank all the participants for taking time off
A
and for their participation.
● Inform users about what happens next
● Report
● Recommendations
● Feedback
● Report:
● Ensure you receive all the notes from the observer(s)
● Collate all this information to create your summary report
● E nsure you highlight the noteworthy comments and responses and the
areas of improvement.
●  learly describe the recommendations and ensure specificity
C
where possible.
● Debrief:
● If required, host a tabletop debrief session where you can typically be
more straightforward with session and attendee feedback.
● Keep the session short – maximum 30 minutes.

9
info@cm-alliance.com https://cm-alliance.com +44 203 189 1422 @cm_alliance