Cybersecurity Exercises for Policy Work

Exploring the Potential of Cybersecurity Exercises as an Instrument for Cybersecurity Policy Work

Malicious cyber activities are increasing worldwide and getting increasingly more sophisticated. Individuals, businesses, and governments explore different ways of tackling this development, for example, through developing policies to counter or mitigate cyber threats. One promising instrument for doing so is cybersecurity exercises. Different cybersecurity exercises (e.g., red team/blue team exercises, cyber wargames, workshops, tabletop exercises, and simulations) can address different audiences and goals – from examining technical responses by critical infrastructure providers to assessing diplomatic responses to a cyber incident. To grasp the potential of cybersecurity exercises – particularly for policy work – it is important to explore the different types of exercises in more detail.

The paper first highlights defining features of each cybersecurity exercise type to emphasize each type’s advantages. Workshops, for example, are speculative, collaborative, and can improve understanding between different actors. Meanwhile, simulations can replicate reality as much as possible using digital networks, which helps simulate attacks and the reactions to such attacks. Secondly, the different exercise types are applied to different stages of the policy cycle – a cycle mapping policy work from defining a problem to the implementation and evaluation of a policy - to explore reasons for using them at certain stages of policy work. Simulations, for example, are particularly beneficial to use when implementing or evaluating a policy, for example, for testing its effectiveness.

The paper creates a simple guide for exploring the potential application of cybersecurity exercises for policy work and for strategically using them. It is recommended to go through a three-step process to find whether cybersecurity exercises are an instrument to be used for a specific policy objective. 

1. Firstly, scope out the policy work – consider the policy work at hand and the target audience to be reached.

2. Secondly, identify the stage of use – identify where the policy work is best situated on the policy cycle.

3. Thirdly, consider the defining features of cybersecurity exercise types and identify which exercise type is the best to achieve the policy work goal.

Ultimately, the paper highlights that cybersecurity exercises are an instrument that decision-makers should consider when developing cybersecurity policies and/or aiming to achieve different cybersecurity policy goals.