Beyond Crisis Response: Using Governance Tabletop Exercises to Strengthen National Cybersecurity Strategies
Author: Alessandro Ortalda, Managing Director, Experirē Strategy and Advisory
In the past decades, the number of National Cybersecurity Strategies has grown consistently[1]. While the trend highlights the effort states are putting into cybersecurity governance, this does not automatically translate into an equal increase in cybersecurity maturity. Indeed, the effectiveness of the strategies, intended as the capacity to guide states to achieve their objectives in cyberspace, widely varies, and their benefits are sometimes diminished by a misalignment between the strategy’s goals, the expectation of national stakeholders, and how national cybersecurity is governed.
The challenge is institutional and political, rather than technical, and concerns how authority is exercised, priorities are set, and governance architecture functions in practice. These are complex aspects that demand both time and effort to address, requiring policymakers to adopt tools to surface them as soon as possible so they can start working on them right away. This is where well-designed tabletop exercises (TTXs) come into play. Used appropriately, TTXs can inform policymakers about downstream issues that may arise after an NCS is implemented and help them prepare in advance or adjust their approach.
This article focuses on a specific type of TTX, the governance TTX, and looks at it in the context of national cybersecurity. It aims to provide readers with a clear understanding of what these exercises are, especially how they differ from incident-response TTXs, and how they can be deployed across the lifecycle of a national cybersecurity strategy to maximize their value.
TTXs in the context of national cybersecurity governance
A tabletop exercise is a structured, discussion-based simulation in which participants engage with a fictional but usually plausible scenario[2]. TTX is just one type of exercise among many (see Figure 1). Its peculiarity is that, unlike technical drills or live cyber exercises, TTXs do not primarily aim to test processes, systems, or tools. Rather, they help develop decision-making, coordination, and clarity of mandates, making them ideal tools to deploy during the strategic planning stage.
Figure 1: Different types of exercise. Source US DHS, HSEEP
Over the past decade, international institutions, national authorities[3] and communities of practice[4] have produced a growing body of literature outlining guidelines for designing and running TTXs. While extremely valuable, most guidelines tend to focus on one specific type of TTX, which is TTXs based on incident or crisis scenarios. In this article, the focus is on a different type of TTXs that address strategic governance and do not necessarily involve incidents or crises in their narratives.
Incident-response TTXs and governance TTXs: related but distinct
Many cyber TTXs are designed primarily to improve incident response. Their focus is on crisis coordination: information sharing, escalation, public communication, and operational decision-making. These exercises are valuable and necessary. They help institutions practice incident management once incidents occur.
Governance TTXs focus less on incident response and more on holistic cybersecurity governance. In these exercises, incidents are often used merely as triggers or narrative devices, or might even be absent altogether from the narrative. The real objective is to help stakeholders examine cybersecurity from a broader perspective, focusing on strategic direction, policy coherence, and governance architecture, rather than engaging them in an incident-management mindset.
Table: Some underlying questions behind the different types of TTX
| Incident-Response TTXs | Governance TTXs |
|---|---|
| Are stakeholders ready to respond to a cyber-crisis? | Are national priorities clear and shared across institutions? |
| Do existing mandates outline roles and responsibilities during crises? | Do existing mandates support the strategic objectives set out in policy? |
| What practical constraints may the country encounter during a crisis? | Where do legal, institutional, or political frictions emerge? |
Governance TTXs do not focus on or aim to develop operational excellence. They are about strategic clarity and institutional design. This is not a trivial difference. It influences not only the objectives that governance TTXs are designed to achieve but also the stakeholders who should participate in them, with governance TTXs prioritizing high-level decision-makers and political figures rather than technical or operational figures.
At the national level, TTXs typically involve representatives from across government and beyond, including ministries, regulators, national authorities, law enforcement, defense, and, sometimes, critical infrastructure operators. The deeper TTX goes into governance-related themes, the higher the participants’ seniority should be.
The value of governance TTX for NCS
Cybersecurity strategies are programmatic, negotiated instruments that prioritize certain aspects over others and that balance competing mandates, institutional interests, and political sensitivities. Inevitably, this leads to ambiguities, which may concern leadership, coordination authority, or the relationship between civilian, security, and economic actors.
Left untested, such ambiguities persist. They may not prevent strategy adoption, but they may undermine strategy credibility and effectiveness. Governance TTXs provide a structured way to surface these tensions in a controlled environment. By simulating how a certain governance architecture would work, they put pressure at an abstract level, revealing how governance arrangements function beyond formal charts and legal texts, and making visible the difference between nominal responsibility and effective authority.
For example, a government may not have clearly assigned budgetary responsibility for cybersecurity, forcing institutions to navigate complex public finance processes before taking action. Or else, especially in distributed national architectures, it might be unclear who ultimately approves strategic cybersecurity decisions. Sometimes these challenges are huge and very visible. Sometimes, these are small and dependent on numerous factors to materialize. Governance TTXs help with surfacing such situations in a controlled and safe environment.
These exercises are intentionally framed around strategic choices: setting priorities, managing institutional roles, and navigating policy trade-offs. Technical detail is deliberately limited. The value lies in helping participants practice strategic reasoning, clarify governance assumptions, and reflect critically on national cybersecurity architecture. In a sense, governance TTXs can serve as sandboxes for policymakers to stress-test ideas and assumptions.
This makes the governance TTX a perfect fit for two very specific phases of the NCS lifecycle[5]: Stocktaking and Analysis; and Monitoring and Evaluation. According to when the governance TTX is deployed, it serves different purposes.
When the governance TTX is deployed during the Stocktaking and Analysis phase (thus, when the drafting work on the NCS has not concretely started yet), the governance TTX holds value not only to inform stakeholders and the current status quo in the country (e.g., identify where the main decision-nodes on cybersecurity are positioned; highlight responsibility gaps, etc.), but also to get stakeholders together and help them find agreement regarding the strategic directive the NCS will have to follow. This happens when every stakeholder brings their institution’s perspective to the table. By working as a cohesive group, participants can isolate the country’s most important strategic needs and identify how to address them in the strategy.
On the other hand, when the governance TTX is delivered during the Monitoring and Evaluation phase, stakeholders can use the opportunity to revisit what has been formalized into the strategy, test if assumptions are still valid, and decide if they want to move forward by adapting the Action Plan, modifying the NCS, or publishing a new NCS. For example, by participating in a TTX, stakeholders might realize that the NCS reflects strategic directives built around technologies from which the country has pivoted, requiring adjustments to the national posture.
TTXs are not about simplifying complex issues, but about making the underlying logic of cybersecurity governance visible. Participants experience how their choices affect others, and how strategic direction translates (or fails to) into coordinated action.
Simulation and gamification in support of strategic thinking
In its simplest form, TTX involves bringing participants together to discuss how to solve an issue, navigate a challenge, or behave in a given scenario. TTXs usually confront participants with a specific evolving situation and force them to decide how the state should act. The situation can evolve through narrative devices called injects (usually controlled by facilitators), through participants’ actions that modify the scenario, or both. This minimalist delivery approach can then be enriched with additional tools, methodologies, artifacts, and other assets. In this regard, the creativity of TTX designers is the only real limit.
One approach that has risen to the forefront in the last few years is the one that leverages gamification, defined by Brian Burke as the use of game mechanics and experience design to engage and motivate people to achieve goals.
This approach proved particularly useful for senior policymakers. Indeed, experience in the field tells us that policymakers, when exposed to gamified TTX, often report a clearer understanding of national priorities, a greater appreciation of institutional dependencies, and more realistic expectations of what governance arrangements can deliver. For them, traditional policy tools (such as briefings, consultations, and expert workshops) may be limited in encouraging critical reflection on the blind spots and challenges of how governance systems operate, especially in fast-paced domains like digital technology and cybersecurity. Gamified simulations introduce a different dynamic, placing participants in situations where choices must be made despite uncertainty, incomplete information, and competing objectives.
Recognizing the value of this approach, international actors such as the International Telecommunication Union have developed gamified cybersecurity governance TTXs that place participants in the role of national cybersecurity decision-makers, leveraging game mechanics such as experience progression, resource management, gated decision paths, and branching logic. It is likely that, in the coming years, the trend will continue and more tools will be created.
Conclusion
National cybersecurity strategies are essential instruments of statecraft in the digital age. Yet their effectiveness depends not only on the quality of their drafting, but on the robustness of the governance arrangements that sustain them. Strategies articulate intent, while governance determines outcomes.
Governance tabletop exercises offer policymakers a structured means to test whether strategic intent is institutionally feasible, politically coherent, and operationally realistic. By creating a controlled environment in which trade-offs, ambiguities, and coordination challenges can be explored, these exercises expose the friction points that formal documents alone cannot reveal. They enable policymakers to identify gaps in authority, misaligned incentives, unclear mandates, and resource constraints before real-world crises reveal such weaknesses.
Ultimately, effective cybersecurity governance is not achieved solely through legislation, organizational charts, or formal mandates. It is forged through practice, dialogue, and the disciplined examination of how decisions are made. Tabletop exercises, when thoughtfully designed and strategically deployed, provide precisely the opportunity to address these.
[1] https://www.experiree.com/Publications/National_Cybersecurity_Strategy_A_Primer.html
[2] https://www.fema.gov/sites/default/files/2020-04/Homeland-Security-Exercise-and-Evaluation-Program-Doctrine-2020-Revision-2-2-25.pdf
[3] https://nukib.gov.cz/download/publikace/navody/cviceni/Manual_TTX_FINAL.pdf AND https://www.cisa.gov/resources-tools/resources/cybersecurity-scenarios
[4] https://thegfce.org/wp-content/uploads/Deliverable-1-Intro-to-TTX-Final-Version.pdf
[5] https://ncsguide.org/ncs-guide-2025/3-lifecycle/
Photo by Jo Szczepanska on Unsplash