| 2 min read
| Sep 12, 2018
| by Mike Lafaille

Oh Noes! A new approach to IR tabletop exercises

Welcome to Oh Noes!

A role-playing game that makes testing your incident response plan fun

A real-life security incident isn’t the best time to test your incident response (IR) plan. It can be stressful. You’ll be dealing with the technical response, pressures from upper management, incomplete information, and a lack of sleep. When you add it all up, it leads to bad decisions and bad outcomes.

If you’ve got an incident response plan, that’s great. You’re already (sadly) ahead of many organizations. However, if you’re not exercising your plan on a regular basis, chances are you’ll struggle to answer basic questions when that inevitable incident is at hand.

Let the games begin

So what’s a prepared security professional to do in absence of real incidents? Play pretend! Do an incident response tabletop exercise where you pretend a bad thing has happened and your team has to work together to resolve the incident. When done on a regular basis, these tabletops serve two purposes:

  1. They help identify issues in your organization before real attackers do
  2. They build muscle memory around the incident response process so that when a bad thing happens, everyone knows what to do

The more you can tabletop the better. Ideally, you’d do it once a quarter to keep people fresh and ready for the next incident. That’s way more often than the industry average (we guess more orgs do this once a year at best). But the benefits are incredible when you tabletop that frequently.

A new approach to IR tabletop exercises

A meeting request with the subject “Quarterly incident response exercise” may not get the response rate you’re looking for from busy executives. So how do you get people engaged?

Enter “Oh Noes! An adventure through the cyberz and $#*!.” Oh Noes! is a role-playing game I created with the help of my son, Robert Potter. Bobby’s an avid role-playing gamer and Oh Noes! takes elements from role-playing games like “Dungeons & Dragons” and “Stars Without Number” and combines them with more traditional cyber tabletop exercises. In Oh Noes! you and your coworkers create characters with unique abilities and skills. Then, you role-play your character through various cybersecurity incidents specific to your organizations.

Along the way, you’ll roll dice, gain experience points, increase your skills, and (if you’re doing it right) eat snacks covered in finger-staining cheese dust. You’ll also learn about your strengths and weaknesses as an organization and get familiar with your IR plan. All this while you’re playing a game. We’ve used Oh Noes! At Expel and we’ve made some pretty big changes to our systems based on what we’ve learned. We hope you get as much value from Oh Noes! as we have.

Download the Oh Noes! kit

You can download everything you need to get started with Oh Noes! here. It includes:

  • The Incident Master Guide (like the Dungeon Master Guide … get it?)
  • A blank character sheet
  • Sample scenarios to get you started with your first few games.

Take it for a spin and let us know if you have any questions or feedback on how we can make Oh Noes! better.


The Most Innovative and Important People in DC’s Tech Scene

Read More