Cyber security exercises: testing an organization´s ability to prevent, detect, and respond to cyber security events

The digital age has transformed how today´s organizations operate. The production and delivery of essential goods and services takes place through complex and interconnected business processes that in turn rely on a set of interdependent infrastructures. These infrastructures and their supporting information systems transcend individual organizations. However, information systems security research is largely under the purview of computer science and engineering departments, and consequently often focuses on technological issues while overlooking the pervasive nature of information systems in today´s society. This has generated calls for a new approach to information systems security; one that employs a socio-organizational perspective that includes not only individual organizations but entire industry sectors and government agencies as well. This paper presents one such approach, the use of scenario-based exercises in addressing security issues common to large organizations, industry sectors, and various levels of government. Lessons learned from illustrative examples of such exercises, as well as suggestions to help organizations conduct their own exercise, are discussed.