Purpose
- Conduct a self-assessment for a specific procedure or plan to ensure it is comprehensive and fit for purpose.
Guidance
- Identify the specific plan or procedure you wish to review
- Shuffle only the question cards and draw a random card from the deck
- Evaluate the drawn question in the context of the selected plan or procedure
- Assess whether the plan or procedure adequately addresses the question
- Determine if there are any gaps or areas that need improvement
- Once you are confident that the question has been fully addressed, place the question card into a separate pile, face down, and draw another card
- If follow-up actions are needed, place the question card in a different pile, question side up (this pile will be revisited later)
- Continue drawing and evaluating cards until all question cards have been considered
- Review the pile of follow-up cards
- Use the identified gaps to develop an action plan to address the issues highlighted
THE DIFFERENT TYPES OF CARDS
SHUFFLE
A RESILIENCE CARD GAME
- High-level incident scenarios to consider
- Contextualise scenarios with your organisation and plans
- Discuss the scenario and potential impacts before drawing question cards
- While the exercise is entirely fictional, it is based on realistic threats
- Be careful not to get caught up on the fine details, make any assumptions where required
SHUFFLE
A RESILIENCE CARD GAME
- Provide prompts for scenario-based consideration
- Reflect on your own response and confidence level
- Discuss group expectations and necessary measures for confident answers
- The objective is not to find straightforward answers but to stimulate discussion and critical evaluation
- If a question is not relevant to the scenario or easily answered, discard it and draw another card
SHUFFLE
A RESILIENCE CARD GAME
- Enhances your program with more ways to customise the pack
FOCUSED SCENARIO – GROUP DISCUSSION
Purpose
Facilitate a group of stakeholders to challenge and assess designed procedures and plans against a specific scenario, ensuring they provide all the required guidance and support.
- Define the scope of the game, focusing on the specific plans, procedures, or business area you wish to test
- Separate the scenario cards and question prompt cards into two piles. Shuffle each pile separately
- Select one scenario card and discuss its relevance to your organisation and the scope of the discussion
- If this is not your first time using Incident Shuffle or there is a specific scenario you wish to explore, substitute it at this stage rather than drawing a new scenario card
- Ensure all participants understand the scenario and its implications within the context of your organisation
- Begin drawing question cards one by one, discussing each question as a group
- If a question is not relevant to the scenario or easily answered, discard it and draw another card
- Focus on the discussion around each question, evaluating the level of preparedness and identifying any gaps or areas needing improvement
- The objective is not to find straightforward answers but to stimulate discussion and critical evaluation
- Repeat the process of drawing and discussing question cards until you feel the scenario has been sufficiently covered or a significant number of question cards have been reviewed
- As a group, review the actions resulting from the discussions
- Note down all follow-up actions for implementation after the session
POLY-SCENARIO – GROUP DISCUSSION
Purpose
Introduce additional complexity to a focused scenario by incorporating a secondary incident, such as a physical incident leading to a cyber attack, to challenge and test the robustness of procedures and plans.
- Define the scope of the game, focusing on the specific plans, procedures, or business area you wish to test
- Separate the scenario cards and question prompt cards into two piles. Shuffle each pile separately
- Select one scenario card and discuss its relevance to your organisation and the scope of the discussion
If this is not the first session or you have a specific scenario to explore, substitute it at this stage rather than drawing a new scenario card
- Ensure all participants understand the initial scenario and its implications within the context of your organisation
- Begin drawing question cards one by one, discussing each question as a group
- If a question is not relevant to the scenario or easily answered, discard it and draw another card
- Focus on the discussion around each question, evaluating the level of preparedness and identifying any gaps or areas needing improvement
At a suitable point during gameplay, pause the group and introduce a second scenario to add complexity. Ensure the secondary scenario is plausible, such as a cyber attack following a public incident
- Ask the group to reassess their actions and decisions considering the new issue introduced by the secondary scenario
- Continue pulling question cards and discussing them, now considering the impact of both incidents on their responses and resource allocation
- Repeat the process of drawing and discussing question cards until you feel the combined scenarios have been sufficiently covered or a significant number of question cards have been reviewed
- As a group, review the actions resulting from the discussions
- Note down all follow-up actions for implementation after the session
GUIDANCE ON HOW TO CUSTOMISE THE SCENARIO TO YOUR ORGANISATION
- Consider which specific critical systems or databases within your organisation could be targeted by ransomware
- Identify which departments or functions would be most affected by an encryption of your network
- Determine which sensitive data within your organisation would be most at risk and damagins if encrypted
- Reflect on your organisation’s stance and policies regarding ransom payments and cryptocurrency use
- Think about any previous cyber incidents your organisation has faced and how they were handled
- Identify the key suppliers and partners critical to your operations that could be targets for impersonation
- Focus on specific financial processes and payment protocols within your organisation that could be exploited
- Consider which departments (e.g., finance, procurement) are most vulnerable to social engineering attacks
- Reflect on any past incidents involving third-party compromises or fraud attempts within your organisation
- Customise the scenario based on the geographic locations of your key suppliers and partners
- Specify the types of sensitive data (e.g., customer information, trade secrets) that would be most damaging if leaked
- Identify potential sources of data leaks within your organisation, such as specific databases or employee roles
- Consider the different access points (e.g., internal networks, cloud services) where a data leak could occur
- Reflect on the specific regulatory and compliance requirements your organisation must adhere to regarding data protection
- Think about previous data breaches or leaks your organisation has experienced and their impact
- Specify which locations or sites (e.g., head office, branch offices) would be most impacted by a power outage
- Identify the critical functions and operations at the chosen site and how a power outage would impact them
- Consider the existing backup power solutions (e.g., generators, UPS) your organisation has in place and their limitations
- Customise the scenario based on the specific geographic region and its vulnerability to power outages
- Reflect on any past power outages your organisation has experienced and their impact on operations
- Specify the location of your offices that would be impacted under the scenario.
- Identify which employees, teams or functions would be affected and how their safety and ability to work could be impacted
- Consider which business functions are most vulnerable to disruption due to restricted access to your offices
- Think about the feasibility and readiness of remote work or relocation options for your organisation
- Reflect on previous instances of civil unrest near your organisation and their impact on operations
- Identify the specific IT services or systems within your organisation impacted by an outage under the scenario
- Consider which departments or business functions would be most affected by the loss of those IT services
- Think about alternative solutions or backup systems that your organisation has in place to mitigate IT outages
- Customise the scenario based on the geographic distribution of your IT infrastructure and services
- Reflect on previous IT outages your organisation has experienced and their impact on operations