The purpose of this study is to illustrate how exercises can play the role of a driving power to improve an organization’s cyber security preparedness. The degree of cyber security preparedness varies significantly among organizations. This implies that training and exercises must be tailored to specific capabilities. In this paper, we review the National Institute of Standards and Technology (NIST) cybersecurity framework that formalizes the concept of tier, which measures the degree of preparedness. Subsequently, we examine the types of exercises available in the literature and propose guidelines that assign specific exercise types, aims, and participants to each level of preparedness. The proposed guideline should facilitate the reinforcement of cybersecurity risk management practices, reduce resource misuse, and lead to a smooth improvement of capabilities.

1. [1] R. M. Lee, M. J. Assante, and T. Conway, “Analysis of the cyber attack on the Ukrainian power grid,” SANS Industrial Control Systems, 2016.
2. [2] S. M. Rinaldi, J. P. Peerenboom, and T. K. Kelly, “Identifying, understanding, and analyzing critical infrastructure interdependencies,” IEEE Control Systems, Vol.21, No.6, pp. 11–25, 2001.
3. [3] A. Boin and A. McConnell, “Preparing for critical infrastructure breakdowns: the limits of crisis management and the need for resilience,” Journal of Contingencies and Crisis Management, Vol.15, No.1, pp. 50–59, 2007.
4. [4] D. Elliott, E. Swartz, and B. Herbane, “Business Continuity Management 2e: A Crisis Management Approach,” Taylor & Francis, 2010.
5. [5] J. Ford and A. M. Schmidt, “Emergency response training: strategies for enhancing real-world performance,” Journal of Hazardous Materials, Vol.75, No.23, pp. 195 – 215, 2000.
6. [6] J. Borell, “Manage everything or anything? Possible ways towards generic emergency management capabilities,” Journal of Disaster Research, Vol.10, No.2, pp. 246–251, 2015.
7. [7] National Institute of Standards and Technology (NIST) and United States of America, “Framework for Improving Critical Infrastructure Cybersecurity,” 2014.
8. [8] J. Rasmussen, “Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models,” IEEE transactions on systems, man, and cybernetics, Vol.3, pp. 257–266, 1983.
9. [9] T. Aoyama, k. Watanabe, I. Koshijima, and Y. Hashimoto, “Developing ICS Security Training for Resilient Cyber Incident Management,” Proceedings of the 7^th International Symposium on Design, Operation and Control of Chemical Processes (PSE Asia 2016), Jul 2016.
10. [10] US Dept of Homeland Security and United States of America, “Homeland Security Exercise and Evaluation Program (HSEEP) Volume I: HSEEP Overview and Exercise Program Management,” 2007.
11. [11] T. Grance, T. Nolan, K. Burke, R. Dudley, G. White, and T. Good, “SP 800-84. Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities,” 2006.
12. [12] “ISO 22398:2013 Societal security ? Guidelines for exercises and testing,” Standard, International Organization for Standardization, Geneva, CH, March 2013.
13. [13] T. Grant and B. Kooter, “Comparing OODA & other models as operational view C2 architecture,” In Proceedings of the 10^th International Command and Control Research Technology Symposium, 2005.
14. [14] C. Eagle, “Using Capture the Flag Events as Training Opportunities,” Hitachi Review, Vol.63, No.5, pp. 1–92, 2014.
15. [15] “Kaspersky Interactive Protection Simulation,” 2017.
16. [16] “Introducing the Activities of Control System Security Center (CSSC),” 2016.
17. [17] NISC channel,“Enhancement of IT incident response capabilities in Critical Information Infrastructure (CII),” Apr 2016.