**EXCON teams in cyber security training** Grethe stby NTNU Department for Information Security and Communication Technology Gjvik, Norway Kieren Nicolas Lovell TalTech CERT department Tallinn, Estonia Basel Katt NTNU Department for Information Security and Communication Technology Gjvik, Norway Abstract: A cyber range is an arena where exercises will be used to expose individuals, public and private organizations, and government agencies to simulated socio-technical cyber security events and situations in a realistic but safe environment. Running these exercises is a demanding task, and the exercise control (EXCON) team have vast and detailed tasks to run and coordinate during the exercise. Often the team members in EXCON rely on tacit knowledge and inherited experience rather than formal pedagogical knowledge. As cyber ranges provide full-scaled cyber exercises for different organizations at strategic, tactical and operational levels, there is a need to bring diverse experts into EXCON teams, such as experts from CERTs and other real-life stakeholders. These tasks require excellent capabilities to manage such teams and will be one of the most important roles to frame. In this paper we suggest a framework for EXCON team roles running full-scale cyber incident exercises and want to test this framework during exercises. Keywords: EXCON roles, EXCON teams, cyber exercises, cyber crisis exercises, cyber exercise management, cyber exercise training roles, crisis training, societal cyber crisis training I. INTRODUCTION The threat of cyber attacks on critical infrastructure is increasing, and there is a corresponding increase in the areas of the cyber security discipline that seek to mitigate this threat (protecting, identifying threats and compromises, auditing, compliance, legal aspects, and so on) [1]. One area that has attracted increased attention is incident response procedures and training for CERTs and SOCs. Another area is command, control and coordination (C3) skills for senior management within the scope of IT-related incidents [2]. As a result, there is active work in each of these areas, often working independently to rise to the challenge. If this independent way of working continues, it will only get more challenging as more building management systems, IoT devices and computers are added to the mix. Historically, within civilian, military and government organizations, cyber security has been treated as an IT problem rather than an operational one. Although this has been identified as a problem across borders, cyber threats are still approached from an incident response perspective anchored in this IT view, and not in the broader scope of organizational, full-scale responsibility [3]. In most major incidents classified as category 4 or above in the UK National Cyber Security Centres categorisation to improve Englands response to cyber incidents, the cyber IT response would only be one part of the operational dynamics. Some tactical decisions taken without clear strategic direction could cause the incident response to make the situation worse for other operational factors [4] [5] [6]. In traditional, more mature disciplines, the critical factor in an effective response to any threat is an effective, clear and well- practiced contingency plan that reinforces a clear C3 mission aim and priority [7] [8]. This means that while incident response training is happening, it mainly happens within separate silos, without testing communication pathways. We still see cyber exercises that focus only on technical departments and not the full organization. When they are practiced at a higher level, the communication barrier between strategic, operational and technical layers is often not practiced [9]. According to the Cisco 2018 annual cyber security report, the gap between supply and demand for trained security personnel is growing [10]. To overcome this shortage, there is a need to expand our knowledge of effective and efficient methods and tools to train and work with cyber security incident management in all organizations. With the technical and operational communication barriers mentioned, and the statistics in mind, this paper suggests a full-scale organizational exercise approach. Cyber security is a relatively immature industry within crisis management compared to more mission- critical and established industries such as maritime and aviation. The purpose of this paper is therefore to incorporate crisis management structures used by Flag Officer Sea Training (Royal Navy) and a similar whole ship or full-scale approach to exercises. This includes legal, public relations, technical, middle management, senior management and external actors, but within a safe environment. In this paper we suggest combining red-teamblue-team technical exercises with traditional table-top exercises to eventually provide full-scale exercises. After presenting background and relevant literature in Section II, Section III describes our research approach. Section IV presents our suggested full-scale exercise approach and the EXCON model. Section V contains our conclusion and future research. II. BACKGROUND AND RELEVANT LITERATURE A key lesson from observing numerous exercises, including a study based on community cyber security exercises in three US cities, is that participants behaviour towards incidents is driven by previously planned responses. Determining the proper response to an incident is better done in advance, when time is available for entities and actors to examine and determine appropriate alternatives [11]. There has been considerable interest in both private and public sectors, including military forces, in developing simulations of cyber-attacks and computer network operations for better training and learning. Significant progress has been made [12]. Security professionals fully anticipate that the threats facing their organizations will remain complex and challenging, according to Ciscos 2018 report [10]. Unfortunately, there appears to be little coordination and cooperation across private-sector organizations and governments in the development of effective cyber attack simulations. Some simulations share common traits and achieve similar results, suggesting that redundant work and research are being conducted [12]. The competence of the people running the exercise is crucial for a successful outcome. A study examining whether exercises improve preparedness and response in civil crisis management found that repeated exercises cultivate longitudinal learning and that exercise leadership should be aware of this learning potential [13]. Within cyber security, several challenges in team exercises have been identified [14]. For instance, it can be difficult to correlate actions to outcomes and to measure individuals performance. In addition, decision making may be biased by the pressure of the exercise, and participants may not always behave as they would during real-world incidents. Guidebooks and frameworks have been proposed to help design and execute cyber exercises [15] [17]. Some focus on technical aspects and attackdefence scenarios; others focus on strategic and organisational dimensions. Socio-technical frameworks have also been proposed to improve cyber security training, highlighting the need to combine technical and human factors [16]. Emergency exercises in the wider crisis management domain have long experience to draw on. For example, work on emergency preparedness in the UK highlights the importance of exercises and training for emergency planning [20]. The US Homeland Security Exercise and Evaluation Program (HSEEP) provides guidance for design, execution and evaluation of such exercises [21]. Within each of these disciplines there is experience that can be used to improve cyber crisis exercises: from the cyber security community, from crisis management research and from the emergency management tradition. Our work builds on this literature to propose a set of roles and responsibilities for EXCON teams. C. Combining red team and blue team exercises with table-top exercises Looking at an organizations vulnerabilities, what is important to the cyber security operation of the entity is how these vulnerabilities could be exploited. This can be compared to an impact and risk assessment, which is used to implement security controls to mitigate possible threats [19]. This impact assessment can then be used to provide the storyline for a table-top exercise combined with a technical exercise, as shown in figure 2. This type of exercise has been used in non cyber security crisis management exercises for a long time, but has generally not been executed as a full-scale organization exercise before [20]. Figure 2: Exercise life cycle (ASCII representation) +-------------------------------+ | TECHNICAL & OSINT DATA | | - System vulnerabilities | | - Exposed services | | - Credentials / OSINT | +---------------+---------------+ | v +-------------------------------+ | IMPACT & RISK ASSESSMENT | | - What happens if exploited?| | - Criticality of services | +---------------+---------------+ | v +-------------------------------+ | EXERCISE DESIGN | | - Scenario & injects | | - Range / technical tracks | | - Table-top storyline | +---------------+---------------+ | v +-------------------------------+ | EXECUTION | | - Technical red/blue play | | - Strategic/tactical play | +---------------+---------------+ | v +-------------------------------+ | AAR & LESSONS IDENTIFIED | | - C3 and technical findings | | - Gaps in process/policy | +---------------+---------------+ | v +-------------------------------+ | RECTIFICATIONS | | - Controls implemented | | - SOPs updated | +---------------+---------------+ | | FEEDBACK LOOP +----------------------+ | v (back to TECHNICAL & OSINT DATA and IMPACT & RISK) The model is based on the technical and Open Source Intelligence (OSINT) data and the impact it would have if the incident really happened. In this proposed approach, we instead start the exercise with the societal impact and the responsibilities of various stakeholders of a cyber incident. We suggest a full organizational focus for the exercises, at the strategic, tactical and operational levels, and present a proposed team to manage the exercise, i.e. the controllers and the actors in the exercise [21]. III. RESEARCH APPROACH In this paper, we propose an approach to cybersecurity exercise management and control (EXCON) and evaluation from a naive inductivism perspective. This approach starts by first observing a phenomenon and then generalizing the possible causes and results, leading to theories that can be falsified or validated [22]. We use the methodology outlined by Design Science Research in Information Systems (DSRIS), which is in alignment with the inductivist approach [23]. This methodology uses artefact design and construction at its core (learning through building) to generate new knowledge and insights into a class of problems. DSRIS requires three general activities: (1) construction of an artefact where construction is informed either by practice-based insight or theory, (2) gathering data on the functional performance of the artefact (i.e., evaluation), and (3) reflection on the construction process and on the implications the gathered data have for the underlying insight(s) or theory (or theories) [23]. How to work on these steps was presented in a thesis written by Karokola [24]. He visualized this approach as outlined in figure 3. As we are approaching our work in a naive inductivist way, we modified the logical formalism in the model from abduction to induction. Figure 3: Design research methodology modified (ASCII) +-----------------------------+ +----------------------------+ | ENVIRONMENT & PRACTICE |----->| AWARENESS OF PROBLEM | | (observed exercises, | | - Observations | | crisis mgmt experience) | | - Stakeholder concerns | +-----------------------------+ +-------------+--------------+ | v +--------------+-------------+ | SUGGESTION (ARTEFACT) | | - EXCON role framework | +--------------+------------+ | v +--------------+------------+ | DEVELOPMENT | | - Refine roles/models | +--------------+------------+ | v +--------------+------------+ | EVALUATION | | - Exercises / cases | +--------------+------------+ | v +--------------+------------+ | CONCLUSION & LEARNING | | - Updated theory/prac. | +--------------+------------+ ^ | +---------------------+-------------------+ | THEORY & PRIOR RESEARCH | | (crisis mgmt, cyber, socio-technical) | +-----------------------------------------+ The awareness of the problem is based on observations from the authors running crisis management exercises and cyber exercises (first step in the second column of figure 3). To propose an artefact in an inductive approach, we used the observations to suggest three phases to define relevant EXCON teams: (1) What is the societal impact of the cyber crisis? (2) Identify the crisis organizations responsibility in the crisis to identify who would need to be trained, and then (3) identify the relevant EXCON team to train the responsible organization (second step in the second column). Our main goal in this paper is to build a best practice framework for roles in EXCON teams for running cyber incident exercises. IV. EXCON HANDLING ROLE MODEL A SOCIETAL CYBER CRISIS TRAINING STUDY A. Apply the case of EXCON responsibilities in training cyber crisis We start by analysing organizations responsibilities when handling a cyber crisis, who they collaborate with, and how they escalate cyber incidents and apply contingency work during crises. We then present an organization to handle the crisis, before suggesting what cyber training and exercises are needed and introducing training responsibilities in EXCON teams in a model to reach our goal, called EXCON trainers in teams. ICT personnel handle cyber incidents every day, both on their own and together with experts such as SOCs or CERTs. One key aspect of this approach is to show the societal impact of a cyber incident, not just the technical fallout. This could, for example, be an attack on salary transactions for a diversity of organizations in a bank, which could affect a large number of households capacity to pay for mortgage, food and gasoline, and consequently lead to uncertainty and unrest in society. We focus on such cyber incidents that would impact society and identify the crisis organizations responsibility in these crises to identify who would need to be trained to manage such crises, and then a relevant EXCON team to train the responsible organization. A. Societal Impact of the Cyber Crisis The first step in our approach is to identify what societal impact the cyber crisis will have. In the example above, one would need to define what responsibility the bank has. That would be defined based on what is regulated by law, what is regulated in the banks contingency plans, and what sectorial departments would be involved in handling such a crisis. B. Responsibilities and roles in cyber crisis management The goal for full-scale exercises is to train responsibilities on strategic, tactical and operational levels in an organization (often called Gold, Silver and Bronze teams in the UK and US), as shown in figure 4. The crisis handling organization in this bank example can be predefined for such crisis management. Responsibilities and roles in societal crisis management are presented in [25], and a modified version is presented in figure 4. Figure 4: Roles in cyber crisis management modified (ASCII) +--------------------------------------+ | STRATEGIC LEVEL | | (Gold Top management / Board) | | - CEO / Director | | - Board of Directors | | - County Governor / Regulator | +-----------------+--------------------+ | v +-----------------+--------------------+ | TACTICAL LEVEL | | (Silver Crisis Manager & | | sector managers) | | - Crisis Manager | | - Sector / Department Managers | +-----------------+--------------------+ | v +-----------------+--------------------+ | OPERATIONAL LEVEL | | (Bronze ICT & field operations) | | - ICT Manager / SOC / CERT | | - Operational managers | +-----------------+--------------------+ External actors (media, public, dependents, partners, police, CERTs) connect horizontally to all three levels: MEDIA / PUBLIC / DEPENDENTS ---> Strategic / Tactical / Operational POLICE / CERT / REGULATOR ---> Tactical / Operational PARTNERS / SUPPLIERS ---> Tactical / Operational To train at the strategic level, the trainers would be all those the crisis management team normally communicate with externally. To train the CEO, the EXCON team needs to act as the board of directors, county governor, media, dependents and employees. To train the crisis manager, one needs templates such as briefs to cope with the command and control of the crisis. To train the sectorial managers (for example, the health department in a municipality), it is common practice to bring tactical management teams and operational managers into the EXCON group. They would pretend to oversee situational awareness in the affected sector. To train the ICT manager, the focus would be on the information flow via tactical and operational teams in this cyber incident situation in crisis management. We suggest training this information flow based on a red-team ongoing attack scenario. Additionally, we need to act as CERTs and police investigators who are relevant for the organization. We can choose to invite relevant CERTs and police investigators into the EXCON team, the same way as with sectorial teams. Training the information management will also depend upon information flow and the media policy. A lot of the information input will come from the EXCON team as external influenced parties, as shown in figure 5. This modified figure was presented without the orange outline as part of the crisis management information responsibilities presented in [25]. Figure 5: External actors modified information flow model (ASCII) +----------------------+ | STRATEGIC / CEO | +----------+-----------+ ^ | Situation reports | +---------+ Media lines | +--------------------+ | PUBLIC |<-------------------+---->| INFORMATION | | & USERS | | | MANAGEMENT UNIT | +----+----+--------------------+ | (Info officer / | ^ Social media / | press / web) | | public opinion +-----+------+-------+ | ^ ^ | | | | Press releases / updates | | +----+----+ +----+--+ | | MEDIA |<---------------------------| C3 | | | (Press, | |(Crisis| | | TV, |--------------------------->| mgr) |---+ | Web) | Questions / +------+ | +---------+ interviews | | +--------------------+ | | POLICE / CERT / |---------------------+ | REGULATOR / | Technical / legal | PARTNERS | info & decisions +--------------------+ Information management is at the centre, receiving inputs from public, media, police, CERTs, regulators and partners, and feeding consolidated information and advice back into the crisis management (C3) and strategic leadership. The trainers in the EXCON team will need to have knowledge and be educated in different areas, and the requirements will be diverse. We suggest dividing the trainers into groups based on who they will train, as shown in figure 6. Figure 6: Grouping the participants for training (ASCII) LEGEND (original colour coding, now shown as tags): [O] = Public-focused training (orange in original) [B] = Information-team training (brown) [R] = Red-team / technical training (red) [G] = Life situational stakeholders (green) +------------------------------------------------------+ | CRISIS MANAGEMENT PARTICIPANTS | +------------------------+-----------------------------+ | STRATEGIC (Gold) | [O] Public / Dependents | | - CEO / Board | [O] Employees | | - County Governor | | | - Top mgmt | | +------------------------+-----------------------------+ | TACTICAL (Silver) | [B] Information team | | - Crisis Manager | - Info management unit | | - Sector managers | - Press / media team | +------------------------+-----------------------------+ | OPERATIONAL (Bronze) | [R] Technical / Red team | | - ICT Manager / SOC | - Attack / defence on | | - Operational managers| range and system copy | +------------------------+-----------------------------+ | EXTERNAL STAKEHOLDERS | [G] Life situational | | - CERTs, SOCs (ext.) | stakeholders | | - Police investigators| - External CERTs / SOCs | | - Regulators | - Police / regulators | +------------------------+-----------------------------+ What was marked with orange in the original figure would be trained by people who can act as the public. Those marked with brown would be trained by the information team and those marked with red would be trained by the traditional cyber exercise red team. Additionally, we suggest training the green group with live situational stakeholders. That means that we will invite relevant SOCs, CERTs and police investigators to join our exercises. This group will not have the tacit knowledge to participate in such exercises and will need different guidance than the other groups. One of the reasons it is important to have this full-scale approach is to make sure that impacting actions from one sections commands are effectively simulated within the exercise storyline, rather than just following a purely linear timeline. This allows the exercise to be planned, but also to be flexible enough to include changes to the scenario that would be impacted by decisions, actions or inactions that would either make the situation worse or easier to maintain during the exercise. As our primary objective in this exercise approach is to test both C3 and IT skills, this allows participants to see that their actions have a major impact on the operational flow. C. Relevant Training Team and Training Roles In summary, we present suggested different training groups as in figure 7. We suggest varying the actors based on which organization we train; for example, some organizations have SOCs, and some use external CERTs. Figure 7: EXCON-trainers in teams (ASCII) +--------------------------+ | EXCON TEAM MANAGER | | - Overall coordination | | - Link to instructor | +------------+-------------+ | +-------------------+----------------------+ | | +-----------v-----------+ +----------v---------+ | WHITE TEAM | | INSTRUCTOR / | | - Scenario control | | FACILITATOR | | - Injects, pacing | | - Guides learning | | - Monitors decisions | | - Supports C3 | +-----------+-----------+ +--------------------+ | v +-----------+-----------+ | SITUATIONAL ACTORS | | - Role-players (e.g. | | sector managers, | | local services) | | - Simulate everyday | | operational context | +-----------+-----------+ | v +-----------+-----------+ | COLLABORATIVE ACTORS | | - Real external | | stakeholders: | | CERTs, police, | | regulators, | | partners | | - Join exercises as | | themselves | +-----------------------+ +-----------------------+ | RED TEAM | | - Cyber attackers on | | range/system copy | | - No explicit blue | | team, but attack | | operative staff | | - Also simulate: | | * Press interviewers| | * Newspapers | | * Social media | +-----------------------+ Information/coordination flows: - EXCON Team Manager <-> White Team <-> Situational & Collaborative actors. - EXCON Team Manager <-> Instructor (for learning design and C3 support). - Red Team interacts with operative staff on the range/system copy and feeds narrative elements (press, media, social media) into the exercise through the white team. We hereby present the different roles to explain what is important for the teams in general, and some challenges that would be important to handle in the teams. The EXCON team manager will coordinate information among the teams and follow up on how to handle inputs and decisions from the participants in the exercise together with the white team. The EXCON team manager will also be the link to the instructor supporting crisis management in the exercise. The white team will have the responsibility to coordinate the scenario and pick up on decisions, actions or inactions that would change the scenario, and to make the scenario still flow to and from the teams. They will also have the responsibility to follow up on the collaborative actors team, to support learning processes for them as well. We have separated one group of collaborative actors/players to make sure they get the focus they need when entering the exercise battle. This group will be active each time we get these external real-time stakeholders to participate in the exercise. They could be acted by the situational actors group, but if we get them to participate, we keep the group separated to pay attention to the extra focus needed as seldom participants in such exercises. The situational actors group is based on actors in traditional crisis management table-top exercises. The actors will vary according to which organization we train. In our figure 7, police investigators are placed in this group, but they might as well be placed in the collaborative actors group, depending on whether we can get real-time police investigators. The red team is based on the red team concept in traditional cyber exercises. They will not have a separate blue team on the other side, but will work against operative staff from the organizations that participate in the exercise, and against a copy of their systems at the cyber range. It is important that system developers are involved in the exercise, as they will be building the system copy at the cyber range. This group is separated to have a free role in the exercise. The group will have three main responsibilities: press interviewers, press newspapers and social media. It will also be important to follow up on public decisions that the organization can learn from, both in terms of continuous communication and the long-term end state of the crises at hand. V. CONCLUSION AND FUTURE RESEARCH Based on our discussions in this paper we suggest a three-phase process to prepare relevant roles for EXCON teams for exercises: 1) Identify the societal impact of the cyber crisis. 2) Identify responsibilities and roles in cyber crisis management. 3) Build relevant training teams and training roles. To train and develop such diverse teams requires excellent training skills and the capability to take a strategic approach to the task. As the group varies in competence and will vary in participants from exercise to exercise, it will be necessary to develop the different tasks at hand for the different roles in the groups. Scenario planning to present what each person should do, and how to act and collaborate, will also be an important task for the trainers. To do this training, we suggest sessions led by the EXCON leader, supported by an instructor, and we want to test and develop this approach ahead of upcoming exercises. It will also be important to observe how the different roles in the EXCON team are relevant throughout the exercise. We have suggested a masters thesis to observe and analyse our proposed EXCON teamwork, including its relevance in different phases, and to compare this with what is done in other full-scale exercises. Before the exercises, we will also provide maturity research for the participants in the exercise, to see whether the exercise improves maturity when repeating the maturity research sometime after the exercise. We plan to test our framework when planning, executing and evaluating exercises at the Norwegian Cyber Range (NCR), and through the Open Cyber Range collaboration between Estonia and Norway. Cyber ranges are relevant test-beds for improving simulations, combining systems and peoples cyber skills. Cyber range events vary in complexity and in their objectives and cover a broad spectrum of event types. Some events are conducted to train cyber protection forces; some are conducted to evaluate people, process and technology through large-scale exercises; others are conducted for developmental testing (DT) or operational testing (OT). Events may also be conducted for experimentation with technology or tactics, or to assess mission readiness [25]. We also keep in mind that participants in our exercises are real-life stakeholders. As we conduct whole-organization approach live-fire exercises, differentiating between a real incident happening at the time and exercise injects, we need to be prepared to stop the exercise. In the military this is called the SAFEGUARD procedure. Future work will consider how to create a similar process in large-scale crisis management and cyber exercises, in order to shut down the exercise when a real incident occurs during the exercise. REFERENCES [1] Annual Cyber Security Assessment 2019, 2019. Available: https://www.ria.ee/sites/default/files/content-editors/ kuberturve/ktt_aastaraport_eng_web.pdf [2] Emergency Response and Recovery: Non statutory guidance accompanying the Civil Contingencies Act 2004, 2004. Available: https://assets.publishing.service.gov.uk/government/ uploads/system/uploads/attachment_data/file/253488/ Emergency_Response_and_Recovery_5th_edition_ October_2013.pdf [3] S. Dumitru Ducaru, The Cyber Dimension of Modern Hybrid Warfare and Its Relevance for NATO, Europolity, vol. 10, 2016. Available: http://europolity.eu/wp-content/uploads/2016/07/Vol.- 10.-No.-1.-2016-editat.7-23.pdf [4] NCSC, New cyber attack categorisation system to improve UK response to incidents. Available: https://www.ncsc.gov.uk/news/new-cyber-attack- categorisation-system-improve-uk-response-incidents [5] A. S. Elmagrababy and M. M. Losavio, Cyber security challenges in Smart Cities: Safety, security and privacy, Journal of Advanced Research, vol. 5, 2014. [6] A. Boin and P. tHart, Organising for Effective Emergency Management: Lessons from Research, Australian Journal of Public Administration, vol. 69, no. 4, 2010. Available: https://onlinelibrary.wiley.com/doi/epdf/10.1111/ j.1467-8500.2010.00694.x [7] F. Wex and G. Schryen, Intelligent Decision Support for Centralized Coordination during Emergency Response, ISCRAM Conference, Lisbon, 2011. Available: https://epub.uni-regensburg.de/21242/1/ISCRAM_2011_ Intelligent_Decision_Support_for_Centralized_ Coordination_during_Emergency_Response.pdf [8] M. K. Jeffery, The Human in Command: Exploring the Modern Military Experience, NATO RTO Workshop on The Human in Command, Springer, 2000. [9] V. Geaffray, Your Biggest Cybersecurity Threat is Poor Communication, Security Today, 2018. Available: https://securitytoday.com/articles/2018/08/27/your- biggest-cybersecurity-threat-is-poor- communication.aspx [10] Cisco, Cisco Annual Cybersecurity Report, 2018. Available: https://www.cisco.com/c/dam/m/hu_hu/campaigns/ security-hub/pdf/acr-2018.pdf [11] A. Conklin and G. B. White, e-Government and Cyber Security: The Role of Cyber Security Exercises, 2006, pp. 79b79b. [12] S. P. Leblanc, A. Partington, I. Chapman and M. Bernier, An Overview of Cyber Attack and Computer Network Operations Simulation, MMS 11 Military Modeling Simulation Symposium, 2011. Available: http://dl.acm.org/citation.cfm?id=2048572 [13] J. van Laere and J. Lindblom, Cultivating a longitudinal learning process through recurring crisis management training exercises in twelve Swedish municipalities, Journal of Contingencies and Crisis Management, 2018. Available: https://doi.org/10.1111/1468-5973.12230 [14] D. S. Henshel et al., Predicting Proficiency in Cyber Defense Team Exercises, 2016. [15] V.-V. Patriciu and A. C. Furtuna, Guide for Designing Cyber Security Exercises, WSEAS, 2009. Available: http://www.wseas.us/e-library/conferences/2009/ tenerife/EACT-ISP/EACT-ISP-28.pdf [16] G. stby, L. Berg, M. Kianpour, B. Katt and S. Kowalski, A Socio-Technical Framework to Improve Cyber Security Training: A Work in Progress, STPIS19, 2019. [17] J. Kick, Cyber Exercise Playbook, MITRE Corporation, 2014. [18] K. Hakkyong, Learning from UK disaster exercises: policy implications for effective emergency preparedness, Disasters, vol. 38, 2014. [19] K. N. Lovell, Cyber Game to Cyber Exercise: A New Methodology for Cybersecurity Simulations, 5th Interdisciplinary Cyber Research Conference, Tallinn, Estonia, 2019, Tallinn University of Technology. Available: https://www.taltech.ee/public/t/tarkvarateaduse- instituut/CRW_2019/mobile/index.html#p=15 [20] Emergency planning and preparedness: exercises and training, GOV.UK, 2013. Available: https://www.gov.uk/guidance/emergency-planning- and-preparedness-exercises-and-training [21] Homeland Security Exercise and Evaluation Program (HSEEP), 2013. [22] J. S. Kowalski, IT Insecurity: A Multi-disciplinary Inquiry, Stockholm University, 1994. [23] W. Kuechler and V. Vaishnavi, A Framework for Theory Development in Design Science Research: Multiple Perspectives, Journal of the Association for Information Systems, vol. 13, no. 6, pp. 395423, 2012. [24] G. R. Karokola, A Framework for Securing e-Government Services: The Case of Tanzania, Department of Computer and Systems Sciences, Stockholm University, 2012. [25] G. stby and B. Katt, Cyber crisis management roles a municipality responsibility case study, ITDRR 2019, Kiev, 2019.