The bottom line: Tabletop exercises without clear objectives, unrealistic scenarios, and missing relevant stakeholders create false confidence and fail to expose organizational weaknesses in incident response.
Discussion-based simulations for testing cybersecurity incident readiness are an established tool – yet poorly executed tabletop exercises lead to blind spots that do not accurately reflect real incident response management capabilities.
Unclear or absent objectives: The most common mistake is conducting exercises without measurable learning objectives tied to realistic business decisions. According to Sharon Chand, US leader for Cyber Defense and Resilience at Deloitte, this leads to generic ransomware or insider threat scenarios with vague success criteria. The exercise drifts off course, rewards improvised actions instead of process quality, and leaves uncertainty about whether the incident response plan actually works. Better approach: Set clear directives, such as testing escalation paths, legal reporting obligations, decision authority, or recovery prioritization, rather than generically “playing through a breach.”
Overly simple or known scenarios: Tabletop exercises that only run through clean, clearly defined ransomware cases with obvious decision points create false confidence. As Ayush Raj Jha, Senior Software Engineer at Oracle Health, reports, reality looked completely different three months later: a partial outage in a multi-region disaster recovery setup with contradictory system failure signals never appeared in any exercise. In the actual incident, employees froze because reality did not match the training scenario. Better approach: Deliberately use ambiguous scenarios with incomplete information and conflicting signals to practice decision-making under uncertainty.
Lack of business relevance and wrong stakeholders: When IT leaders view tabletop exercises as a routine task rather than an essential security tool, scenarios emerge that bear no relation to actual organizational risks and decision points. According to Jason Stading, Director at technology consulting firm ISG, this manifests in selecting unrealistic scenarios or missing key stakeholders. The result: participants debate whether something could happen instead of focusing on operational response. Better approach: Develop scenarios based on actual environment, business priorities, previous incidents, and industry-typical threats. Include all relevant functions – security, IT, legal, communications, HR, operations, and executive leadership.
Regular post-exercise reviews and iterative improvements to scenarios are critical to ensure realistic preparedness.
Source: www.csoonline.com · Published June 2, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.2.9.