What's new?

Risky business: Attackers and Defenders™

Risky business: Attackers and Defenders

Welcome back. In my previous post, I presented the first of three activities that Lootok uses to complete risk assessments.

Our second activity, Attackers and Defenders™, identifies threats and vulnerabilities. Remember: threats, vulnerabilities, and assets are the ingredients for a risk. Without these three ingredients, there is no risk. In this post, I will show you how to use this activity to identify your specific threats and vulnerabilities.

At Lootok we love Attackers and Defenders™ because it engages everyone in the room. It is competitive. It involves role-playing. It forces you to think creatively about your business, and most importantly it is fun, which is not a word often used in the same sentence as risk assessments and business continuity!

The Attackers and Defenders™ activity creates an environment for structured dialogue around your organization’s threats and vulnerabilities. The key objective of this activity is to define the threats and vulnerabilities facing your key assets. The activity helps you determine realistic threats to your assets, and the vulnerabilities that allow those threats to cause a disruption. You will also be asked to reach an agreed upon prioritization of your risks, complete with evidence that can be used for reporting, planning, and investment.


So, how does Attackers and Defenders™ work?

First, download the templates.

Attackers and Defenders™ should be used together with your completed Value Map™, and you should invite the same people who participated in the Value Map™ activity.

Divide participants into two teams. One team will be the attackers, and one the defenders. The attacking team’s objective is to choose three of the most critical assets from the Value Map™ and try to cause maximum damage to the business by disrupting those assets.

The defending teams objective is to do the opposite. They will choose three of the most critical assets from the Value Map™ to defend from disruptions.

Attackers and Defenders

Distribute three of the cards you downloaded to each team. Attackers receive the attacker cards, and defenders receive the defender cards. Each team will discuss and write down the asset they think would cause maximum disruption or is most important to protect on priority card #1, followed by the second most critical asset on priority card #2, and third on priority card #3. Along with their selections, have each team write down how and why they would disrupt/protect the asset.

Give the teams ample time to complete all three cards, and then have a representative from both the attacking and the defending team take turns reading their #1 priority cards.  After the first attack and defend have been revealed, discuss the outcome. For example:

Did you choose the same asset to attack/defend?

  • If so, would the defense strategy described on the defend card counter the attack strategy described on the attack card?
  • If not, what was the reasoning for choosing different assets?  Which is the more likely scenario, the attack or defend, and why?

Repeat this process for the remaining two attack and defend cards.  Following the final attack and defend, have the group come to a consensus on asset priority by listing them in order of criticality. 

This activity should generate discussion around which assets are most critical, what threats could impact those assets, and what vulnerabilities exist that enable a threat to impact the asset.

The results of the value map and attackers and defenders activity should give you a prioritized list of three to five risks to focus on. However, you can repeat these activities as many times as necessary to develop the full universe of risks at your organization.

In the next post we’ll review an activity that will help you measure the risks you’ve defined using the Value Map™ and Attackers and Defenders™ activities.

Looking for more guidance about risk assessments, or other ways to improve your BC practice. We can help. Contact info@lootok.com to speak with a Lootok expert.

Go to post 1: Risky business: What is risk?
Go to post 2: Risky business: Who cares about risk?
Go to post 3: Risky business: Value Map™