The best tabletop exercise (TTX) scenario in the world will fail if the right people aren’t in the room.
A common mistake is treating the TTX as a purely technical drill, inviting only IT and Security staff. A truly valuable exercise tests the entire organization’s ability to manage crisis from the server room to the boardroom.
This post defines the necessary participants (Cast of Characters) and the essential Rules of Engagement that ensure productive, high-value discussions.
The Cast of Characters: Essential TTX Roles
A well-rounded TTX includes four levels of participants, all of whom have distinct roles and decision authority during a real crisis.
| Role | Key Departments and Responsibility | Why They Must be There |
|---|---|---|
| The Command | Incident Commander (IC), Deputy IC, Crisis Manager | Unified Control and Decision Authority. They are the single point of contact responsible for overall strategy, setting objectives, resource allocation, and approving major mitigation actions. This role is non-negotiable. |
| The Strategists | C-Suite/Executive Team, General Counsel (legal), Communications Lead | Decision Authority and External Risk. They decide on business tolerance, legal liability, regulatory disclosure, and external messaging (stock price, reputation). |
| The Responders | Security/IT Operations, Business Unit Leaders (Operations), HR, Finance | Execution and Internal Impact. They execute the immediate containment plan, assess operational impact, manage internal resources (staffing, payroll), and halt financial transactions. |
| The Observers | Audit/Risk Team, TTX Facilitators, Note Takers | Governance and Documentation. They focus on documenting policy compliance, process gaps, and key decision points for the final report. |
Every TTX needs a clearly designated Incident Commander (IC), even if it’s just for the duration of the exercise. The IC is the singular point of authority who determines which systems are shut down, what resources are committed, and when the crisis is considered resolved.
A key TTX goal is to see if the existing organizational structure allows the IC to effectively wield this authority, or if bureaucracy stalls the response.
Defining the Rules of Engagement
Once the right people are in the room, ground rules are essential to ensure the discussion stays focused on policy and process, not technicalities or personality conflicts.
Rule #1: It’s not a Technical Test (Focus on Process)
The goal is not to see if your participants remember specific firewall commands. The goal is to see if your organization has a clear process for responding to a breach.
Facilitation Tip: If a discussion gets bogged down in technical minutiae, the facilitator must interrupt and ask: “What does our documented policy/procedure/plan say we do right now?” or “Who is responsible for that specific action?”
Rule #2: Embrace the “Safe Space” (No Fault)
A non-attribution or “no-fault” environment is paramount. Participants must feel safe admitting they don’t know the answer or that the document(s) is/are unclear.
Key Action: State this rule upfront. Emphasize that the TTX tests the plans, not the people. Sometimes the best findings often come from a participant saying, “I honestly don’t know where that is documented”.
Rule #3: Suspend Disbelief (Treat the Scenario as REAL)
Participants must engage with the scenario as if it is genuinely unfolding in the organization. Even if aspects feel unlikely or incomplete, treat them as real conditions that require a response. The purpose is to evaluate how the organization makes decisions under pressure, not to debate scenario realism. If the conversation drifts into “this would never happen,” the facilitator should redirect by asking: “If this were happening right now, what would our role require us to do?”
Rule #4: Act within Your Role (Stay in Character)
Participants must answer based on the role they are assigned for the exercise and the knowledge they would realistically possess at that time during a crisis.
Avoid “Superhuman Syndrome”: Participants cannot suddenly use knowledge or authority they wouldn’t have in a real scenario (e.g., the Communications Lead can’t suddenly start configuring a server). This ensures that the test is realistic.
Rule #5: Use a Parking Lot
Discussions that are valuable but are distracting from the scenario – future budget needs, specific vendor complaints, or technical deep dives – must be actively moved to a “Parking Lot” list to keep the exercise moving along.
Key Benefit: This keeps the TTX focused on immediate crisis response while ensuring important side topics are captured for the post-exercise remediation phase.
Moving to Action: Your Next Step
Securing the right participants is an act of influence. Get the confirmation early and use the Rules of Engagement to set up a professional, high-value tone for the exercise.
Your Action Item: Use your current organization chart and list the five most critical decision points that occur during a major incident (e.g. calling law enforcement, authorizing a major system shutdown, public disclosure). Then, circle the specific role that owns each decision. This list forms the basis of your TTX attendance request.
Now that your key players are seated, what crisis will you throw at them?
In the next part of the series, we will focus on Crafting Compelling Scenarios: Beyond the Ransomware Attack– designing injects that challenge your team’s documentation and drive home the most valuable learning outcomes. (Coming March 25th, 2026!)
