Why crisis simulations fail and how to fix them

In this Help Net Security interview, Allison Ritter, Head of Cyber Experiential Exercising at Cyberbit, shares her insights on the key differences between in-person and virtual cyber crisis simulations and what makes each approach effective. Ritter highlights the need for effective communication, clearly defined roles, and realistic scenarios to help teams perform under pressure.

Could you explain the key differences between in-person and virtual crisis simulations? Which do you find more effective, and why?

Virtual and in-person cyber crisis simulations are both essential components of a crisis readiness strategy, with the right format depending on business goals and context.

Producing an onsite event and bringing the entire team together requires significant coordination, but the results are worth the investment. When working with executive teams, I typically design a roadmap that starts with an in-person event to establish a strong foundation for crisis management. This is followed by virtual scenarios to deepen those skills and maintain a state of readiness. Interestingly, the onsite event is often the first opportunity for members of the crisis response team to meet face-to-face. It creates a unique environment where participants can lower their guard and engage in an open, no-fault scenario, fostering collaboration and trust from the outset.

In-person simulations create an immersive environment for participants to master the essentials of crisis response, from effective communication protocols to decision-making frameworks. They foster real-time communication and teamwork which are critical for navigating high-pressure scenarios. By mirroring real-life crises, they also encourage and strengthen team cohesion and trust through authentic interpersonal dynamics. Teams benefit from face-to-face interaction and non-verbal cues, enhancing the experience and allowing for immediate feedback, organic discussions, and relationship building.

When designing a crisis exercise, I intentionally include dedicated moments for participants to step away from the scenario and engage in open dialogue. These purposeful pauses create space for discussions to flow naturally, allowing participants to delve deeper into key insights and build on critical areas revealed during the simulation. Such exchanges often become invaluable opportunities for reflection and collaboration.

Another advantage of in-person exercises is that they provide a unique opportunity for technical leadership, like SOC and DFIR managers, to align with executive teams on goals, roles, and expectations in one shared physical space. I highly recommend combining technical cyber range exercises for the incident response and SOC teams, with the executive exercises. These teams often work in silos and speak two completely different “languages”. Bringing them together breaks down this silo and removes the screen barrier that can make communication awkward or stifled.

We frequently incorporate role-playing, live acting, and dynamic demonstrations into exercises. These elements infuse a heightened sense of realism and urgency, fostering deeper engagement and fully immersing teams in the experience.

Virtual exercises, on the other hand, are excellent for fostering collaboration across distributed teams. In today’s world, many organizations are spread across different locations and time zones, making virtual management of cyber crises a very real scenario. By conducting virtual simulations, you can validate digital communication processes and playbooks, ensuring they function seamlessly across distributed teams when it truly matters.

This approach also works beautifully as a follow-up strategy. In fact, I’ve orchestrated plans where we hold two in-person events annually, complemented by two surprise virtual scenarios. Picture this: on a random Tuesday, you kick off the event unannounced, putting everyone’s skills to the test. And let me tell you, in my experience, cyber crises have an uncanny knack for happening at the most inconvenient times—like late on a Friday afternoon or right before a long holiday. It’s the perfect way to prepare teams for the unexpected.

How has technology, such as AI and VR, transformed the approach to crisis simulations?

We incorporate AI into the development process when crafting custom crisis scenarios, but let’s just say the technology still has a bit of growing up to do. Case in point: I was preparing content for an event in Paris this summer and turned to AI to help generate image ideas. My goal was to capture a summer vibe with frustrated individuals—sounds straightforward, right? Well, the AI had a slightly different interpretation of “frustration in the summer,” repeatedly serving up shirtless men. I finally had to type, “Everyone must wear a shirt.” Lesson learned: AI is an incredible tool for managing and navigating cybersecurity incidents, but it definitely needs some human supervision to keep things on track—and fully clothed!

That said, AI’s potential in crisis simulations is only just beginning to be fully realized. For example: AI can accelerate the design of executive exercise scenarios; by integrating organizational challenges, regulatory requirements, and playbooks, AI can generate a storyboard or script for a tailored crisis exercise that aligns to the specific needs of an organization. On the production side, we use AI to build customized media assets, like videos—for example, a newsflash about an attack that is taking place. On the technical side of cyber range simulations, AI can play the adversary during a SOC or incident response exercise. While VR hasn’t yet become commonplace in crisis simulations, it holds great promise for bridging the gap between remote and in-person experiences; by allowing teams in distributed locations to collaborate in a virtual environment it enables face-to-face interactions that “feel” like they’re in person.

What are the most common challenges teams face during simulations, and how can they overcome these?

The most common challenges we encounter are communication breakdowns, role confusion, and decision-paralysis.

Communication gaps are particularly common between technical leadership and business executives. These teams work in silos, which often causes misalignment and miscommunication. Technical staff use jargon that executives don’t fully understand, while business priorities may be unclear to the technical team. As a result, it becomes difficult to discern what requires immediate attention and communication versus what constitutes noise. This slows down critical decisions. Now throw in third-party vendors or MSPs, and this just amplifies the confusion and adds to the chaos.

Role confusion is an interesting challenge. Crisis management playbooks typically have roles assigned to tasks, but no detail on what these roles mean. I have seen teams come into an exercise confident about the name of their role, but no idea what the role means in terms of actual execution.

Many times, teams don’t even know that a role exists within the team or who owns it. A fitting example is a “crisis simulation secretary” — someone tasked with recording the notes for the meetings, scheduling the calls, making sure everyone has the correct numbers to dial in, etc. This may seem trivial, but it is a critical role, as you do not want to waste precious minutes trying to dial into a call. I’ve seen organizations that do not have this role in place take thirty minutes just to get three or four team members on a call, let alone the entire crisis response team.

So, during the exercise I recommend discussing and clarifying for everyone what the roles are; I personally do this before each exercise I run.

Decision paralysis is a challenge that arises on both the technical and executive sides. During my time managing the SOC at IBM, I witnessed this firsthand. Brilliant technical experts, capable of uncovering the most elusive malware, often grappled with the task of conveying their findings to leadership. They would spend hours debating whether to escalate a potential threat, paralyzed by the fear of being wrong. A false positive could lead to criticism and even impact their performance reviews, creating a culture of hesitation that undermines swift decision-making.

Making decisions under pressure is the cornerstone of the training we run, and let me tell you, it can lead to some unforgettable moments. During one crisis simulation session, we had a participant navigating a live scenario with an actor. At first, the participant was composed, managing the situation with admirable confidence. But as the pressure mounted and the questions became increasingly complex, they hit a wall. Realizing they were in over their head, they didn’t just metaphorically fold—they physically slid under the tablecloth and turned away, as if hoping to vanish into the fabric of the universe. It was both unforgettable and a stark reminder of how real stress feels in these scenarios. We had a good laugh later—and a great learning moment about staying cool under fire!

My top three recommendations to overcome these challenges:

1. Work on communication between technical and business teams so they can translate technical details into clear, actionable insights for executives. This is one of the most under-practiced areas when working through a crisis simulation. Improving communication between the teams can eliminate decision paralysis because it builds trust between the teams and empowers the technical team with the courage to “push the big red button” and alert leadership when they believe there is an issue, without fear of being criticized.

2. Establish predefined communication protocols – I recommend creating templates for specific crisis scenarios, ensuring quick and consistent messaging. This can be created as an outcome of the crisis simulation.

3. Include executives in simulations – This may sound trivial, but in reality, it is difficult to get C-Suite members including CEO, CFO, Legal and Communications together. I would not compromise here as you want these teams collaborating and communicating effectively in a cyber crisis.

What innovations do you foresee shaping the future of crisis management training?

The future of crisis management training is all about experience. Crisis management training is traditionally a “what if” decision-making exercise. It started with pen-and-paper tabletop exercises, evolved to PowerPoint presentations, and then advanced to crisis simulator applications that presented the same tabletop questions in a digital, non-linear format. However, what is missing is the emotional rollercoaster of a real cyber crisis—the pressure from unexpected calls, customers, and media, which impacts your ability to think, communicate, and make decisions. With new technological advancements, we are moving toward a movie-like experience where you’re thrown right into the scene.

The second important innovation will be the ability to seamlessly integrate an operational exercise, like a cyber range, into the crisis exercise. Pairing executive simulations with technical training is the cornerstone of modern crisis management evolution. It’s crucial to ensure that technical teams are not just proficient but deeply skilled in the tools they rely on daily in the SOC. By integrating this expertise into hands-on training sessions, they can bridge the gap between operational know-how and executive-level decision-making. This holistic approach fosters seamless communication, enabling technical insights to inform high-level strategy, ensuring a coordinated and effective response during real-world incidents. It is the final step in making the experience as close as it gets to the real world.