Meet Ai3, the DTEX Risk Assistant. Fast-track effective insider risk management with guided investigations.



A Human-centric Approach to Operational Awareness and Risk Management.

The Proactive Power of Tabletop Exercises in Insider Risk Management

The Proactive Power of Tabletop Exercises in Insider Risk Management

As the adage goes, “practice makes perfect.” To get as close to perfection as possible in any endeavor, one must expect there to be an education and practice quotient. This is especially true for insider risk management (IRM), where there is no room for error.

For an IRM team, tabletop exercises provide an opportunity to test-drive the processes, procedures and, above all, the expectations that underpin the organization’s insider risk program.

The 2023 Ponemon Cost of Insider Risks Global Report highlighted how “the average number of days to contain an insider incident” was “86 days.” Consider 86 days of operational expenses being expended trying to wrap a ribbon around an incident; it is likely to feel like trying to shove toothpaste back into its tube.

The report also shines the light on how few IRM programs are adequately resourced, with only $200 on average being allocated per employee toward the IRM program. Amazingly, the funds are usually culled from the information security budget and are spent, “after an insider incident has occurred.” No doubt, the IRM program has a technological component, yet the heartbeat of the program is the individual – the insider.

Goals, Goals and Goals

The Chief Financial Officer (CFO) wants operational expenses (OpEx) to be predictable. When the cost of an incident falls into the category of “Oh, we need another x-amount of OpEx to mitigate an incident,” then one isn’t well prepared.

The scenarios brought to the tabletop exercise can and should be drawn from the robust archive of insider-related security incidents that have been documented across industry. In addition, within the corpus of “day in the life” behavioral norms, one can chart the potential for enhanced and increased risk when early risk indicators are detected, and not wait for indictors of an incident.

To be successful requires practice. IRM teams should practice scenarios where an individual is triggering indicators of possibly enhanced risk as a malicious employee. Similarly, they should practice scenarios where employes are outsmarted or duped by a malicious individual. Using cleverly written phish or other lures to entice them to engage in a behavior, which under normal circumstances, would not occur. One can’t leave out the careless employee, the one who just isn’t paying attention or for whom rules and regulations are for others.

With only the Ponemon report at one’s disposal, it may be difficult to satisfactorily answer the caustic questions from those who may not be on board as to the necessity and value of a robust and well-resourced insider risk program capability. This is where the benefits of the tabletop exercise shine.

Benefits Up Front

The tabletop exercise goes a long way toward bringing the caustic around. It pays to lead with the benefits when trying to sell the idea. Preemptively answering the questions, ‘What’s in it for me’, ‘How does this apply to our company’, and ‘Can you measure success’ can go a long way.

  • Identify gaps, vulnerabilities, and broken processes. Does the ‘planned’ response to a potential incident reduce the risk, or are the processes deficient?
  • Confirm alignment of roles and responsibilities. The adage that one must never assume has never been more apropos than when roles and responsibilities are found to be misaligned.
  • Improve decision-making through improved collaboration and coordination. In the world of business continuity, the plan must be executable by those present. The same logic applies to the insider risk program response and decision making. One may not have the luxury of waiting for a ‘designated individual’ to report on station to make decisions. The tabletop allows for the development of the playbook, so the decision trees are predictable and can be followed by those present.
  • Identify resource deficiencies or over-expenditures. A clear line can and should evolve demonstrating adequate resourcing to handle IRM team engagement in both a proactive and predictable manner, as well as a full-on and much more expensive, reactive manner.
  • Confirm readiness for a potential incident. The rehash and analysis of the tabletop exercise provides one with a roadmap to improved posture, changes in process and procedures, and the development of the always beneficial muscle memory. This last point can’t be over-emphasized. The knowledge of knowing one has been here before is truly priceless, as it serves to enhance one’s capabilities for the next opportunity.


Through the execution of tabletop exercises, entities can and should expect to garner insight into resources needed or deemed superfluous, identify where leadership must engage and where decisions can be delegated, and improve speed of response – be it physical, technological or leadership.

The tabletop allows entities to know with a greater degree of confidence employees or team members can be trusted to do the right thing, at the right time for the right reasons.

No longer will an entity be in a position of saying. “Oh no, now what?” Instead, they will have a playbook at hand. Their path to be traversed will be well illuminated, and the desired outcome identified. Their IRM team and those supporting their success will have moved from the world of theoretical to ‘practiced and proven,’ and the insider risk program can be counted on ‘knowing what to do, when to do it.’  If I may take a bit of poetic license with Rudyard Kipling’s, “If: A father’s advice to his son,” the tabletop exercise allows the IRM team to keep their head when all about them are losing theirs.

For more insider risk insights, visit the DTEX i³ Insider Risk Research Hub.