Skip Navigation

What is an Insider Threat Tabletop Exercise? (Part 1 of 3)

This is part one of a three-part blog series. Part one will define the insider threat tabletop exercise and describe who should be involved. Part two will explore the best places and times to conduct an insider threat tabletop exercise and the value that it will provide your organization. Part three will delve into the mechanics of how to properly conduct an insider threat tabletop exercise.

Traditional tabletop exercises are discussion-based sessions where team members meet to discuss their roles and responses during an emergency. A facilitator guides participants through a discussion of one or more scenarios. Tabletop exercises have long been utilized by military and government agencies. Traditionally, exercises were focused on emergency response (military, police, first responders, etc.) and utilized by responsible agencies to test their effectiveness in responding to various emergency scenarios. In the last decade, tabletop exercises have become commonplace to test cybersecurity preparedness and responses. The use of tabletop exercises has also expanded beyond the government and today many corporations rely on such exercises to gauge, test, and improve their cybersecurity effectiveness. While these cybersecurity exercises focus on external threats, leading companies are increasingly seeking to apply the tabletop model to insider threats.  

What is an insider threat tabletop exercise? 

An insider threat tabletop exercise is a set of verbally simulated scenarios focused on insider actions (those to whom legitimate access to assets is given) that if occur, will result in serious business impacts. While insider threat tabletop exercises are similar to traditional and cybersecurity exercises, there are distinct differences in both form and substance. 

Non-binary and Asymmetrical 

Insider threats are by definition non-binary and asymmetrical. There are a plethora of indicators and vectors that must be understood to effectively manage insider threats – behavioral, ingress, egress, access, etc. Additionally, insiders, by virtue of their legitimate access, are superiorly positioned to bypass or sabotage the organization’s defenses while targeting vulnerabilities. Essentially, the insider has an unfair (or asymmetric) advantage over the organization which makes it difficult to prevent, detect, and mitigate their (non-binary) actions.  

Insider threat tabletops must be designed to account for and test the organization’s readiness and response to these non-binary and asymmetric actions. We’ll explore the design and implementation features to meet these requirements in part three.

Proactive by Design

Insider threat tabletops are inherently proactive. The non-binary and asymmetric nature of the threat requires that exercises be infused with Key Capability Factors (KCFs), Key Risk Indicators (KRIs), and Key Performance Indicators (KPIs) designed to promote the prevention and detection, not simply the response to an incident. We’ll further explore the design and value features in part two. 


Insider threat management requires a cross-functional or team approach. A cross-functional team is a group of people with different functional expertise working toward a common goal (insider risk management). It should include people from HR, legal, operations, as well as participants from CRO, CISO, and CSO departments. The level of cross-functional collaboration is directly correlated to the maturity of the insider threat program. In short, it is difficult at best, to effectively manage insider risk in a siloed model. As such, the insider threat tabletop exercise should also reflect this team approach and include representative members from each department.  

Who should be involved with an insider threat tabletop exercise?  

Effective insider threat tabletop exercises should have several distinct roles and responsibilities and should be representative of the cross-functional team discussed above.  

Players-Participants: respond to the situation presented based on their respective SME knowledge of current plans, procedures, and insights derived from training and experience. Generally, analysts and investigators responsible for the day-to-day operational implementation of managing insider risk.  

Observers: watch the exercise and are not Participants in the discussion. Generally, managers and supervisors of the Participants with oversight responsibilities for the insider risk program.  

Facilitators: ideally are individuals with functional area expertise that facilitate exercise discussion. The Facilitator is responsible for keeping the discussion focused on exercise objectives and ensuring all key issues are explored (time permitting). Oftentimes the facilitator is a third-party consultant with broad insider threat experience capable of providing objective and tailored insight to the exercise.  

Data Collectors: are responsible for gathering relevant data arising from facilitated discussions during the exercise. They will then use this information to collectively develop the After-Action Report.  

Contact ITMG to Build, Facilitate, and Implement Your Insider Threat Tabletop Exercise 

ITMG is a pioneer in building insider threat tabletop exercises and an industry leader in helping organizations throughout the United States strengthen their insider risk management programs and securing sensitive data and intellectual property. Our team of bona fide experts has the real-world experience necessary to plan out and create holistic tabletop exercises tailored to the special needs and risks in your industry. Contact ITMG today to learn more about how we can help or submit an RFP to explore an engagement!

This entry was posted on Tuesday, February 15th, 2022 at 9:04 pm. Both comments and pings are currently closed.