In today’s bulletin, Charlie discusses the difference between live-play exercises and SIMEXs (simulated exercises), and gives an insight into the importance of agreed wording in exercising.

I was at the NCSC (National Cyber Security Centre) yesterday as part of a meeting between the organisations that are part of their Cyber Incident Exercising (CIE) scheme, and one of the topics of discussion was the difficulty of defining exercise types. In their exercise scheme, NCSC use the terms tabletop exercises and live-play exercises, but they wanted to know whether this was the same terminology which we, as exercise providers, use.

At PlanB Consulting, we slightly suffer from the same issue, as we are asked for SIMEXs rather than live-play exercises, and we have to determine what the client’s definition of a SIMEX is. In their full form, SIMEXs can be expensive to develop and deliver, so clients must understand this and the type of exercise they are purchasing; otherwise, when they are quoted a price, they may receive a shock. If they think a SIMEX is just a tabletop played in real time, unfacilitated and using slides to drive the narrative, then they wonder how it can be so expensive. If they know we need to write 50-70 injects, research all aspects of the incident, including media and stakeholders’ responses, and have a team of role players to input and receive injects, then they are aware that these are expensive to plan and execute.

The NCSC’s definition of a live-play exercise is “where team members execute their roles and responsibilities from their normal work environment, in response to controlled injects which represent a given cyber incident scenario. Different participants typically receive different sets of injects. Activities and decisions happen in close to real-time, although the incident pace and timeline is managed by an exercise control function”. [1]

I agree with this definition, although I would call it a SIMEX rather than a live-play exercise. My definition of a live-play exercise is that it has an element of on-the-ground exercise play as well as an incident management element. For me, this could be a government exercise where they simulate a train crash in a tunnel and they have role-played casualties who have to be dealt with, and then the information from the ground is relayed back to the responding organisation’s incident rooms. The Cabinet Office agrees with my definition in their recently published ‘Exercising Best Practice Guidance’, in that it involves response in real time, an element of responding as the incident was real, and multi-agency response rather than single organisation response. [2]

The NCSC presented this as a consultation exercise to understand what everyone else was doing, so this developed quite a lot of discussion around the room. The vocabulary defining the type of exercise is important, as you can find yourself in a long discussion about delivering an exercise, only to find that you are talking at cross-purposes, and your idea and their idea can be very different. A common vocabulary is important because ‘What’s in a name’ [3], matters.

[1] NCSC, “Cyber Incident Exercising” https://www.ncsc.gov.uk/schemes/cyber-incident-exercising/information-for-buyers

[2] UK Resilience Academy, “Exercising Best Practice Guidance” https://www.gov.uk/government/publications/exercising-best-practice-guidance/exercising-best-practice-guidance-html

[3] Shakespeare, W. “Romeo and Juliet“