Skip to content

1.3 Find out the Needs

Why are needs important?

Exercises always require resources, so it makes sense to maximize the probability that your exercise will be effective. But how do you know it was useful? In general, the exercise fulfilled the need. The need is about connecting the exercise to what you really want to achieve.

All needs come down to "we want to be secure" or "minimize costs and maximize gains"—whether that's money, reputation, or other forms of impact. While these needs are real and foundational, you need to be more specific to create an effective exercise.

In this part of the documentation, we present several approaches to help you understand the needs behind the exercise. Your exercise should address one need or a set of tightly connected needs. Trying to cover everything results in an exercise about everything and nothing.

Warning

Don't create exercises only to check a compliance box. It is probably not worth the resources.

Methods to Discover Needs

There are various methods to uncover genuine needs behind an exercise. This is not about theorizing or creating complex approaches. On the contrary, you need to clarify the need in the simplest way so you can base your entire approach on it. Use what's available—one method might be enough, or you need to combine several. The goal is simple: understand what problem you're solving before you design the exercise.

  • Rely on Your Intuition

    If you know your context well, you may already know what needs training. Even if this is the case, using other methods from this list may enhance your perspective and help you formulate an even sharper need.

  • Formal Response Plans

    Documents like Business Continuity plans, Disaster Recovery protocols, or emergency response procedures and playbooks describe step-by-step how to handle incidents. Gaps in these plans—or unclear steps—often indicate training needs. If such documents exist in your context, they're valuable starting points.

  • Impact Analyses and Risk Assessments

    These formal documents identify vulnerabilities and potential consequences. They reveal what skills or knowledge would mitigate risks and where training could have the most impact.

  • Incident Reports

    Real incidents show exactly where processes broke down or people struggled. They can be internal organizational incidents, public case studies, or documented attacks from news sources. Both successful responses and failures provide learning opportunities.

  • Previous Training or Exercise Reports

    See what worked, what didn't, and what participants requested or where they struggled. These reports often reveal persistent gaps that need addressing.

  • Competency Frameworks

    Frameworks like NICE Workforce Framework or ECSF Role Profiles or national frameworks define what specific roles should know and be able to do. Select the relevant role, review the described competencies, and identify the most important ones for your exercise. The need is to minimize the gap between the current state of your participants and the competencies described in the frameworks.

  • 5 Whys Method

    This technique helps you drill down from surface symptoms to root causes and genuine needs. The process is simple: when someone states a need, ask "why" repeatedly to uncover the underlying problem. More information here.

  • Generative AI

    AI tools can help you explore needs in several ways: generating scenarios based on descriptions, identifying potential gaps you haven't considered, or helping formulate better questions for stakeholder interviews. Just be careful about what information you share with these services, especially regarding sensitive organizational or personal data.

Note

In the end, you should have a simple statement in the form: "We need this exercise to..."
This is not a pro forma statement. In the Reflection phase, you will return to this need and ask: Did the exercise fulfill the need—the reason we created it in the first place?

Examples of Needs

Here are examples of needs you may encounter in your context.

We need this exercise to... – Examples

Team Dynamics and Coordination

  • Train teamwork skills (e.g., how to delegate tasks during an active incident, who takes which role in crisis response)
  • Practice coordination across multiple teams (e.g., IT team coordinating with legal and PR during a data breach)
  • Practice communication and information sharing with counterparts (e.g., what to communicate to law enforcement, how to brief media, when to inform other organizations)

Process and Policy Validation

  • Test new organizational structures, technologies, tools, or processes (e.g., validate whether the new incident escalation process works under pressure)
  • Expose and validate cybersecurity policies and procedures (e.g., check if the data breach response policy covers ransomware scenarios)
  • Practice specific response processes or protocols (e.g., execute the first 30 minutes of incident response protocol)

Decision-Making and Reporting

  • Practice reporting to managers and decision-makers (e.g., what information executives need to know immediately, how to frame technical issues for non-technical leadership)
  • Train participants to make decisions with incomplete information (e.g., decide whether to shut down systems when you're not sure if the breach is ongoing)
  • Experience work under stress and time constraints (e.g., prioritize actions when multiple systems are failing simultaneously)

Contextual Understanding

  • Grasp the broader implications of cyber incidents (e.g., understand how a ransomware attack affects business operations, legal obligations, and public reputation)
  • Gain deeper understanding of how incidents affect different stakeholders (e.g., recognize why finance, legal, and operations teams have different priorities during the same incident)
  • Understand the cascading effects of security decisions (e.g., see how blocking external access solves one problem but creates others for remote workers)

Awareness and Education

  • Enhance cybersecurity education and awareness (e.g., recognize what to do if you lose your phone with company data, identify phishing in realistic emails)
  • Help participants recognize threats they haven't encountered before (e.g., spot signs of insider threat, identify supply chain attack indicators)
  • Build shared understanding of risks across different roles (e.g., help HR understand why security asks for certain onboarding procedures)

← 1.2 Exercise Types 1.4 Understand Trainees →