Abstract
As remote work increases in adoption, partly pushed by the 2020 COVID-19 pandemic, conducting and offering security training to employees is ever more challenging, due to physical constraints. Cyber-security training is ever more critical as both digitalization of controls and services increases, and remote working increases the risks of cyber-threats, due to vulnerable communication channels and lack of security practices from remote location working. As physical presence and coordination of large groups of employees becomes more challenging, it is necessary to offer more flexible, adaptable and lightweight training and exercise solutions for cyber-security training. For this reason, in this work we propose a lightweight tabletop framework for conducting cybersecurity exercises. The framework has been developed taking into consideration personalized learning theory concepts and feedback from academic and industrial stakeholders. Evaluation of the framework was conducted through a series of exercises with industrial personnel and university students. According to the results of the experiments, the framework is effective at developing a great range of table-top exercises for both students, security professionals and technical operators. By focusing on flexibility, ease of implementation, remote accessibility and other key attributes, the exercises developed with the framework have been reported to be successful in achieving the goals, and found engaging and motivating by participants.
Supported by the Norwegian University of Science and Technology.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Andriotis, N.: 5 elements to include in any post training evaluation questionnaire. Efront Learning (2018)
Angafor, G.N., Yevseyeva, I., He, Y.: Bridging the cyber security skills gap: Using tabletop exercises to solve the CSSG crisis. In: Ma, M., Fletcher, B., Göbel, S., Baalsrud Hauge, J., Marsh, T. (eds.) JCSG 2020. LNCS, vol. 12434, pp. 117–131. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61814-8_10
Angafor, G.N., Yevseyeva, I., He, Y.: Game-based learning: A review of tabletop exercises for cybersecurity incident response training. Secur. Privacy 3(6), e126 (2020)
Brilingaitė, A., et al.: Environment for Cybersecurity Tabletop Exercises. In: ECGBL 2017 11th European Conference on Game-Based Learning, pp. 47–55. Academic Conferences and Publishing Limited (2017)
Brown, M.L.: Use of tabletop exercises for disaster preparedness training. PhD thesis. The University of Texas School of Public Health (2010)
Chen, K.-C., Chen, C.-C., Wang, T.-L.: The role tabletop exercise using START in improving triage ability in disaster medical assistance team. Ann. Disast. Med. 1(2) (2003)
Chowdhury, N.: A personalized learning theory-based cyber-security training exercise. Inf. Comput. Secur. (2022)
Chowdhury, N., Gkioulos, V.: Cyber security training for critical infrastructure protection: A literature review. Comput. Sci. Rev. 40, 100361 (2021)
Chowdhury, N., Gkioulos, V.: Key competencies for critical infrastructure cyber-security: A systematic literature review. Inf. Comput. Secur. (2021)
Chowdhury, N., Katsikas, S., Gkioulos, V.: Modeling effective cybersecurity training frameworks: A Delphi method-based study. Comput. Secur. 113, 102551 (2022)
Chowdhury, N., et al.: Cybersecurity training in Norwegian critical infrastructure companies. Int. J. Saf. Secur. Eng. (2021)
Debusmann, B.: Why remote working leaves us vulnerable to cyber-attacks. In: BBC News (2021)
Dolezal, A.: Cyber threats have increased 81% since global pandemic. In: Business Wire (2021)
Ferreira, R., et al.: Decision factors for remote work adoption: Advantages, disadvantages, driving forces and challenges. J. Open Innov. Technol. Mark. Complex. 7(1), 70 (2021)
Forero, C.A.M.: Tabletop exercise for cybersecurity educational training; theoretical grounding and development. In: MS thesis (2016)
Haga, K., Meland, P.H., Sindre, G.: Breaking the cyber kill chain by modelling resource costs. In: Eades III, H., Gadyatskaya, O. (eds.) GraMSec 2020. LNCS, vol. 12419, pp. 111–126. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62230-5_6
He, W., Zhang, Z.: Enterprise cybersecurity training and awareness programs: Recommendations for success. J. Organiz. Comput. Electron. Comm. 29(4), 249–257 (2019)
Jin, G., Manghui, T., Kim, T.-H., Heffron, J., White, J.: Evaluation of game-based learning in cybersecurity education for high school students. J. Educ. Learn. (EduLearn) 12(1), 150–158 (2018)
Johnson, J.: Where do it professionals see an increase in cyber attacks and attack attempts following the covid-19 pandemic? In: Statista (2021)
Klosek, T.: Limitations of the Lockheed Martin Cybersecurity Kill Chain Model. PhD thesis, Utica College (2020)
Maggio, L.A., et al.: Cybersecurity challenges and the academic health center: An interactive tabletop simulation for executives. Acad. Med. 96(6), 850–853 (2021)
Mirzaei, S., Eftekhari, A., Mohammadinia, L., Tafti, A.A.D., Norouzinia, R., Nasiriani, K.: Comparison of the effect of lecturing and tabletop exercise methods on level of preparedness of nurses against natural disasters. J. Holist. Nurs. Midwif. 30(1), 17–26 (2020)
Ottis, R.: Light weight tabletop exercise for cybersecurity education. J. Homeland Secur. Emerg. Manag. 11(4), 579–592 (2014)
Pane, J.F., et al.: Continued progress: Promising evidence on personalized learning In: Rand Corporation (2015)
Pastor, V., Diaz, G., Castro, M.: State-of-the-art simulation systems for information security education, training and awareness. In: IEEE EDUCON 2010 Conference, pp. 1907–1916. IEEE (2010)
Popken, B.: Full return to office is ’dead’, experts say — and remote is only growing. In: NBC News (2021)
Radvanovsky, R.: Cybersecurity simulation exercises: Is simply waiting for a security breach the right strategy? In: Ernest & Young Advisory Services (2017)
Radvanovsky, R.: Tabletop/red-blue exercises. In: Handbook of SCADA/Control Systems Security, pp. 368–377. Routledge (2016)
Reeves, A., Delfabbro, P., Calic, D.: Encouraging employee engagement with cybersecurity: How to tackle cyber fatigue. SAGE Open 11(1), 21582440211000050 (2021)
Samuel, J.: Cyber security—key performance indicators. In: Infosec Write-ups (2019)
Sitzmann, T., Weinhardt, J.M.: Training engagement theory: A multilevel perspective on the effectiveness of work-related training. J. Manag. 44(2), 732–756 (2018)
Strom, B.E., et al.: Mitre attack: Design and philosophy. In: Technical report (2018)
Walkington, C., Bernacki, M.L.: Appraising research on personalized learning: Definitions, theoretical alignment, advancements, and future directions (2020)
Yadav, T., Rao, A.M.: Technical aspects of cyber kill chain. In: Abawajy, J.H., Mukherjea, S., Thampi, S.M., Ruiz-Martínez, A. (eds.) SSCC 2015. CCIS, vol. 536, pp. 438–452. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22915-7_40
Zhou, X., et al.: Kill chain for industrial control system. In: MATEC Web of Conferences, vol. 173, p. 01013. EDP Sciences (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chowdhury, N., Gkioulos, V. (2023). A Framework for Developing Tabletop Cybersecurity Exercises. In: Katsikas, S., et al. Computer Security. ESORICS 2022 International Workshops. ESORICS 2022. Lecture Notes in Computer Science, vol 13785. Springer, Cham. https://doi.org/10.1007/978-3-031-25460-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-25460-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25459-8
Online ISBN: 978-3-031-25460-4
eBook Packages: Computer ScienceComputer Science (R0)