TRAINING FOR THE UNEXPECTED The eternal crisis dilemma happened again in Ukraine: The signs were there, but the world was still caught by surprise. Amidst the catastrophe all of us must learn to become better prepared. Training and exercises are at the core of strengthening our organizations. However, implementing culture of exercises and increasing number of exercises require better understanding of actual needs and constraints of the protected entity. // Antti Sillanpää, Mikko Sirkiä
T
hings go bad all the time. Constant flux of cyber incidents, traffic accidents and burglaries fill statistics. Researchers evaluate reasons for 10% drop or 15% rise in them. Here, events happen so often, that phenomenon is thoroughly understood. Credible predictions can be made about future occurrences, and consequences can be mitigated even if they could not be eradicated. Predictable and well-analyzed challenges are often dealt with technical or tactical exercises. If the same type of events keeps coming, we can continue along this path. Toolbox of average wrong doer is known, and steps are understandable. Problems caused by negligence and inattention are everyday tasks for cyber security professionals. This does not mean that technical exercising and training cannot be comprehensive. We can dissect huge problems into small entities. This is like eating the elephant piece by piece. In the end, elephant is down and digested. This logic means that even board room exercises are in a sense technical if e.g., they practice the organization of the board. Therefore, exercising organizational responses for known problems is relatively straight forward, even if it is demanding.
34
|
CYBERWATCH
FINLAND
SENSEMAKING IN NOVEL SITUATIONS
Situation is different when challenges come as surprises. Tsunami is extremely rare and unpredictable. They are practically impossible in the Nordics, but their consequences can reach here. Some of these rare events do happen, but we don’t have enough historical or other data to predict which ones. And, when they emerge, the consequences can be both devastating and very comprehensive. In these completely new and complex situations, our capability to make sense of what is happening can be lost. If we lose our sensemaking, possibilities of survival diminish. How to train for these unexpected events that might become more common due to political turmoil, climate change and alike? SCRIPTED SCENARIOS OR LIVE ACTION?
There are at least two approaches for tackling strategic level exercise planning. We can take a comprehensive view of the planning with scripted scenarios, or we can focus on the dynamics in the organization. Approaches are not exclusive, and they can be carried out even one after another. Selecting one above another seems to be matter of resources and convention. Comprehensive exercises have often good and excessive scenarios. Imaginative and knowledgeable writing team also takes into consideration the particularities of the training participants. Planning cycle is often long and requires a lot of resources. Therefore, they are challenging to organize. Institutions with strong security culture, especially the military excel in these. There are also successes in more civilian context. In Finland, at TIETO22 exercise different sectors develop their co-operation and identify concrete cybersecurity
