Is Your Company Ready for a Cyberattack?

Many companies are putting themselves through military-inspired games to beef up their cyber resilience.

Reading Time: 7 min 



An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series
Already a member?
Not a member?
Sign up today

5 free articles per month, $6.95/article thereafter, free newsletter.


Unlimited digital content, quarterly magazine, free newsletter, entire archive.

Sign me up
Shadow of a skull within lines of code

The U.S. military views cyberspace as a critical domain it must protect — similar to air, sea, and land. It regularly conducts war games to expose and eliminate risks to data and networks and to test its cyber defense tactics and strategies. As part of that effort, the military and other government agencies, including the U.S. Department of Homeland Security, have launched “bug bounty” programs that reward so-called ethical hackers (people hired by organizations to hack into their computer systems) for identifying and repairing potential vulnerabilities.

Companies face many of the same cyber risks as military and government agencies, and many of them are investing in similar capabilities to protect themselves. Goldman Sachs, for example, plans to put more than 8,000 developers through a gamified cybersecurity training program to help them gain a deeper understanding of attacker psychology and the range of countermeasures they might take. During this program, teams will compete against one another in games that feature more than 300 risk scenarios to develop and hone skills in malware analysis, digital forensics, and ethical hacking. Other companies, such as Intel, are taking steps to identify problems early — for example, offering rewards as high as $250,000 to security experts who identify vulnerabilities in their products. Such open invitations to engage hackers have helped organizations uncover and address real risks.

Increasingly, cyber exercises are becoming standard elements of corporate risk mitigation and resiliency efforts. In this article, we will describe some of the exercises companies are employing. They include “tabletop exercises,” which are designed to help executives envision how they would handle different risk scenarios; “red team exercises,” which are designed to ferret out weaknesses through contained attacks conducted internally to see how cybersecurity teams respond; as well as engaging ethical hackers to test an organization’s cybersecurity defenses.

Tabletop Exercises

Tabletop exercises are carefully planned events that simulate actual cyberattacks, thereby helping organizations identify specific vulnerabilities and define processes, procedures, and individual responsibilities needed to make systems secure. However, it’s important to note that tabletop exercises aren’t just about “defending the castle” against attacks; they can also teach a company’s leaders to manage through the attack and after the attack to remediate damage. In a way, the exercises serve as an X-ray into the organization’s cyber weaknesses.

Read the Full Article



An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series

More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.