Evolving Incident – Multiphase Complications

Exercise Goal	Key Participants	Length	Incident Severity
Team members experience how an incident can evolve over multiple days and rehearse responses at each stage.	Cross-functional team (District Leadership, Tech, Dept. Leadership)	2-3 hours	Low → Critical

Resource Downloads

PDF Presentation | Google Slides Template | Facilitator’s Guide

Purpose

This exercise is a traditional larger scale scenario featuring multiple “injects” (new developments). Your team will navigate the response to each stage using your Cybersecurity Incident Response Plan (CSIRP) as a guide. The exercise focuses on evaluating the tools, tactics, training, and relationships necessary to mitigate risk and impact as an incident escalates.

Participant Profile

Ideal Composition: A cross-functional team including District Leadership, the Tech Team, and Department Heads (e.g., HR, Finance, Operations).
Flexible Roles: If key individuals are not present, their roles should be assigned to other participants to ensure all departmental perspectives are represented.

Prerequisites

There are no formal prerequisites. However, familiarity with the district’s current incident response procedures will allow for a more productive and realistic experience.

Prioritized Outcomes

Plan Validation & Optimization: Identify gaps in current planning and technical documentation to refine and validate incident response plans and playbooks.
Operational Readiness: Train personnel on plan execution and rehearse response procedures to build the “muscle memory” needed for a swift, instinctive reaction.
Role & Skill Alignment: Clarify specific roles and responsibilities while identifying gaps in team coordination, knowledge or technical skills.
Strategic Coordination & Awareness: Enhance communication across different departments and deepen the collective understanding of threat types, business impacts, and prevention.

Facilitator Notes

Role of the Facilitator: We strongly recommend a facilitator who is not a participant. The facilitator should provide context relevant to the organization and purposefully push the team out of their comfort zone.

Not a “Whodunit”: Remind participants that this is not a mystery to be solved. It is a series of events that may or may not be related. Participants should address each “inject” as it occurs, looking for connections without waiting for a single “aha!” moment or a simple solution. The focus is on the process of response, not just the “answer.”