Cybersecurity is a little like Whac-A-Mole; you hit one issue and another pops up. So says Mark Herman, Booz Allen Hamilton vice president. “Cyber is a very complex problem to which you might consider simple solutions that won't work,“ says Herman. “It's an integrated fabric so if you change your cyber policy in one area you might actually create new vulnerabilities you didn't think about holistically,“ he says. That's where wargaming comes in. In previous times, wargaming was a means of gauging how a battle might unfold. Today, the meaning has broadened to include exploration of a whole host of issues with no easy solutions “” cybersecurity among them. “Wargames not only let you see how you might solve one problem; they let you see the effect of one set of issues on another,“ says Herman. Here, in his own words, is Herman's take on how to wargame for stronger cybersecurity.
1.) Know what you want to achieve. “Knowing what you want to achieve is critical,“ says Herman. “Ask yourself: What is the objective of the wargame? What problem am I solving, what is my objective for running a wargame?' You have to understand those things before you start. Once you understand the issues you're challenged by, that's when you can engage in the analytic technique of a wargame.“
2.) Get the right mix of people and time. “I've run wargames with as many as 400 people, and I've done games with as few as 12. In general, however, 50 is a good-sized wargame. In terms of time spent: My general preference for any wargame is two days. Sleeping on it and coming back to it the next day is helpful.“
3.) Engage in “˜right to left' thinking. “You say, “˜OK, in order for me to start to understand this issue, I have to have certain kinds of information.' Let's say it's competitor information. Ask yourself: “˜What do we know about the opposition in this particular case?' Once you go down that path of thinking, you might say, “˜We don't know as much as we thought we knew.' That's when you've got to get some information. It's the collection of material that allows for this second step “” a fairly intricate step “” but it doesn't take a rocket scientist either. It's a matter of being clear where you're going, then applying the methodology.“
4.) Be prepared to finish the game. “If you're not prepared to exploit what you learn from the wargame, then you might as well not have bothered to do it in the first place. Coming out of a wargame should effectively reset your agenda, which can have huge implications for an organization. If you can imagine: If you were on a certain path, with certain priorities, then all of a sudden you got a whole new view of the world. That, in turn, can turn into a whole strategy review. Accept that you may have to redo your strategy “” and that may have huge implications if it is done right. On the other hand, if you just kind of do the gaming and say, “˜Wow, that was interesting,' and then go back to what you were doing before, then you should haven't have bothered in the first place.“