If you have gone through a typical Incident Response Tabletop exercise, you know that it can be very predictive and boring. The scenarios are picked ahead of time. The responses are known. The responses are prepackaged, and it becomes a routine check mark.
How do we address this? Make it a game.
Gamification of training has long been a way to engage the audience for better results. There are also many ways to bring those same concepts to testing your IRP testing.
Here are two that can be introduced with little to no capital investment.
Introduce Chance
Introduce your scenario as normal, but during the tabletop, roll a die to determine a random element to introduce.
Here are some examples:
Distraction: The presented scenario was a distraction event to mask a different attack vector. For this to work, have another scenario prepared and run both scenarios simultaneously.
Resource limits: As the scenario is playing out, a bad flu season hits. 20% of staff is affected including members of this team.
Law enforcement intervention: During the scenario, law enforcement contacts you. They have been monitoring a criminal organization and believe that your incident may be related. They wish for your company to reduce countermeasure efforts to allow their team to trace and catch the perpetrators.
Reward Participation
Increase engagement by rewarding participants that play into the scenario. Award tokens for insightful commentary, good team working, or pointing out flaws in the plan. At the end of the Tabletop, the participant with the most accumulated tokens is recognized with a small prize.
These small enhancements can create greater engagement in the exercise and increase satisfaction and more effective GRC plan testing.