Cybersecurity Policy Exercises in Practice

Learnings from Implementing Tabletop Exercises in Different Countries

Citizens as well as public and private organizations are exposed to tremendous risks by the constantly evolving cyber threat landscape. This development is being tackled by governments all over the world through the implementation of cybersecurity policies and regulations, among other means. Designing cybersecurity policies, however, is a complex challenge that requires specific skills and interdisciplinary contributions. One tool that can be used to contribute to this endeavor, to bring stakeholders from different backgrounds together and discuss and test policies, is cybersecurity policy exercises.

From July 2021 to July 2022, we designed and implemented cybersecurity policy exercises in eight countries from different parts of the world, including the Republic of Armenia, the Republic of Costa Rica, the Republic of Kenya, the United Mexican States, and the Republic of South Africa. The exercises, except for the one in Costa Rica, were part of a joint project with the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ), which was implemented on behalf of the BMZ. Some of these exercises took place on-site, whereas others were carried out online because of the COVID-19 pandemic. They typically convened participants from governmental and private sector institutions, civil society organizations, and academia. Before the implementation, we studied the theoretical foundations of how cybersecurity exercises can be used for policy work. We then identified the exercise type that best fit the context we worked in—that is, cyber capacity building—and developed a methodology and a process for designing and implementing exercises with stakeholders from different countries.

We experienced firsthand that cybersecurity policy exercises are useful tools, for example, with which to practice information sharing and analysis across sectors during an incident. This utility stems from the fact that such exercises offer participants the opportunity to discuss a hypothetical yet realistic cyber incident scenario and to experience policy responses. However, a crucial learning from our work is that to unfold the benefits of these exercises and ensure that they have a lasting effect, a number of points must be considered during design and implementation. In this paper, we outline our most important learnings and present several practical suggestions that might be helpful for other workshop designers and facilitators. For greater clarity, we structured our experiences into four categories: organizing, designing, implementing, and evaluating an exercise.

Country-specific cybersecurity policy exercises demand extensive methodological insights and detailed knowledge of a country’s cybersecurity policy. We therefore recommend conducting research and expert interviews on a given cybersecurity architecture, legislation, and policy. Additionally, we have come to the conviction that exercises in the context of capacity building are sustainable and correspond with objective realization only when supported by and co-organized with local (political) stakeholders. Such support can come in the form of pre-workshops, wherein the overall objectives of an exercise are discussed, or expert interviews that focus on country-specific questions, such as the particular responsibilities of national cybersecurity stakeholders. Both these preparatory processes influence how a scenario is formulated.

During cybersecurity policy exercises, participants not only practice their national incident response but also examine what real-life impact cybersecurity policies have during an incident. An exercise that focuses on policy helps shed light on processes that are in place. It also enables participants to experience a lack thereof when policies have not been translated into clear processes, such as incident reporting. Participants may additionally address other concrete objectives, such as to increase awareness of the existence or non-existence of cybersecurity policies or the practice of information sharing between different sectors.

Aside from applying these practical learnings on designing and implementing cybersecurity policy exercises, we recommend that cybersecurity policy exercises, particularly those conducted as part of cyber capacity building initiatives, be regarded not merely as a means of practicing national incident response in a one-off manner. Rather, they should be seen as a chance to identify gaps and missing pieces in existing policy processes. They also offer the opportunity to create multi-stakeholder dialogue afterwards and collect concrete ideas and formats to work on challenges identified in the exercise. Moreover, we found considerable interest among stakeholders from different countries in implementing additional exercises to monitor developments over time. We hope that our learnings advance the work of implementers, enable those interested in the field to take their first steps, and, ultimately, facilitate exchange on the methodology.