It isn’t penetration testing—when companies employ “white hat” hacks to identify technical vulnerabilities. A cyber war game is based around a real-life business scenario (ex. Hackers attempting to access customer databases). As cyber security is everyone’s responsibility, information security employees to marketers and legal advisers work together to respond to the real-life scenario. These war games can help expose weaknesses in response protocol. The four main questions these games explore are:
- Can the team identify and assess the breach quickly? Can the business spread the word of the breach to the whole company so everyone can take proper actions?
- Can the team make effective decisions to contain the attack? Does your company have functional guidelines for the company’s decision making policy?
- Can the team effectively communicate the breach to the stakeholders?
- Can the company be flexible in adjusting business strategies when responding to an attack?
In addition, data collected from cyber war games have identified frequent areas of security vulnerabilities to be flaws in customer data, employee data, stakeholder assets, corporate information, and intellectual property. Cyber war games grant insight into a company’s important assets, security vulnerabilities, and flaws in response protocol. One of the worst security vulnerabilities is the company mindset that security is solely an IT responsibility. Cyber war games help flush out such company flaws.
So How do you conduct a cyber war game? Creating a proper cyber war game involves brainstorming sessions between business and security managers about which assets are important, who are potential attackers, and what the impact of an attack will be. Once the main components are highlighted, the rules of the game such as number of scenarios, difficulty, cross-platform participants, and the step-by-step script can be determined. The script is then used to give results and status updates to the participants after each decision they have made. Lastly, the learning phase extracts the insights gained from running a cyber war game and implements them into more effective cyber defense solutions.
As McKinsey states, “a poor response could be more damaging than the attack itself.” Regarding cyber attacks, it no longer is a question of if, but when. It is in all companies’ best interest to adapt to a more proactive solution for handling cyber attacks. Conducting cyber games can help determine important assets, identify flaws in response protocol, expose digital weaknesses, and ultimately stopping a malicious cyber attack in the future.
The original white paper “Playing War games to Prepare for Cyberattacks” was published in the July 2012 edition of the McKinsey Quarterly.