6 steps to validate cyber incident response plans in times of conflict

Should the worst occur, cyber incident response plans can help mobilize resources, contain the attack, mitigate damages and expedite recovery.

Should the worst occur, cyber incident response plans can help mobilize resources, contain the attack, mitigate damages and expedite recovery. Image:

Steve Durbin
Chief Executive, Information Security Forum
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


Listen to the article

  • Cyber attacks have become a widespread risk to governments and businesses.
  • During times of conflict, such as Russia’s invasion of Ukraine, these risks become amplified.
  • Here are key things to consider when evaluating cyber incident response capabilities.

Losses, disruptions and damages due to cyber attacks have become a major risk to governments and businesses alike. Such risks get amplified significantly during times of conflict or instability and Russia’s invasion of Ukraine is a case in point. Should the worst occur, cyber incident response plans can help mobilize resources, contain the attack, mitigate damages and expedite recovery.

Have you read?

But having a plan on paper is never enough; it’s not a substitute for actual practice. Cyber drills need to be carried out repeatedly, tested thoroughly, and optimized for the real world. Like fire drills at school, when the bell goes off, everyone should know their place.

Cyber incident response capabilities

Listed below are some important considerations for organizations to consider when evaluating cyber incident response capabilities:

1. Be clear with objectives

Before diving into the specifics of the process itself, organizations must ensure they are clear on the objectives and the success criteria of the test. The entire exercise must ideally yield two important results: one, a clear understanding of whether the plan is likely to succeed (or not); two, it must help identify a list of critical gaps that must be addressed immediately. Additionally, organizations must aim to test different aspects of the response plan, such as a newly acquired business, a particular system or infrastructure, or specific attack scenarios such as ransomware.

2. Pick an exercise that matches the desired objectives

Businesses must take into account real-world logistical and operational constraints when selecting an exercise to test the objectives that have been laid out. Options include: table top exercises (e.g., calling people listed in the plan to ensure their phone numbers work); phishing simulations (launching phishing attacks on employees to test if they recognize and report them); password and other suspicious requests; red/blue/purple teaming exercises (simulated cyber attacks to test whether systems can be broken in and whether defences are working as expected); war games (to test defences and cyber readiness of the organization); parallel tests (testing recovering systems to see if they are operational and are able to support key processes); and cutover tests (disconnecting primary systems and checking whether secondary systems are working as expected).

cyber incident response plans capabilities cyber attacks
Global weekly cyber attacks per organization (2020-2021) Image: Checkpoint

3. Choose your exercise target wisely

It’s important that organizations identify the right combination of targets to build an exercise that helps meet desired objectives. Targets can include specific business applications, physical assets such as servers and workstations, virtual and cloud infrastructure, remote business locations and employees. It might also make sense to include supply chain partners as part of the testing exercise. For example, simulating an attack on a managed service provider. Some simulations can also be designed to target the C-suite, since executive teams are critical to any crisis response.


How is the Forum tackling global cybersecurity challenges?

4. Develop cyber incident scenarios that are challenging but achievable

Exercises are always a great way for businesses to test their cyber incident response abilities and gauge the cybersecurity readiness of their employees. Exercises should be challenging but achievable at the same time; the idea is not to discourage or demoralize employees but to engage and excite them about developing a strong security culture and ensuring they are well-equipped to handle cyber incidents. Consider providing participants with scenarios tied to real-world events like ransomware to make exercises seem more realistic and urgent. If possible, distribute guidance to participants ahead of the exercise so that they feel adequately prepared. Try to be as transparent as possible; make clear who will be taking part, how will the feedback be captured and what kind of metrics will be reported. Add complexity to the exercise by focusing on a specific system, process or individual components of the cyber kill chain. One can even test extreme attack scenarios like “black swan” attacks – incidents that can occur suddenly, with unexpected, widespread ramifications.

5. Ensure to involve all the right parties

It’s important to select the right mix of resources from both business and technical backgrounds so they can help deliver incident response exercises using a wide range of use-cases and expertise. Businesses should include third parties such as forensic and legal experts as well as supply chain partners and customers. The idea is to select an audience that allows you to meet your desired objectives. Securing buy-in from senior management teams is also advisable as this will greatly impact how participants perceive and participate in the exercise.

6. Be open and learn together

Encourage participants to remain open-minded and not to over-analyze the given situation. Encourage honesty and critical thinking, give all participants the opportunity to contribute. Record all major observations and recommendations from participants, including things that may not have worked as expected. Conduct post-exercise feedback promptly and commit to addressing issues identified during the exercise via streamlined and well-defined action plans. Capture feedback on how future exercises can be improved; ensure recommended changes are implemented ahead of your next exercise.

In times of conflict or instability, cyber incident testing exercises should be put to action as this can help identify gaps in the most seemingly robust incident response plan. Incident management plans must be thought of as a living document that needs continuous reviewing and updating as the threat landscape evolves. After all, true cyber resilience can only be achieved if the organization is truly capable of detecting, responding and recovering from a genuine, real-world cyber incident.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Tinder Swindler: How 'romance fraud' became a multi-billion dollar cybercrime

Robin Pomeroy and Sophia Akram

May 24, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum