Tabletopping the tabletop: New perspectives from cybersecurity’s favorite role-playing game

Can a role-playing game save lives? If the game is a tabletop exercise to help organizations of all sizes and sectors become more resilient to cyberattacks, the answer is a resounding yes.

Tabletop exercises are hands-on workshops where participants come from diverse professional backgrounds and interests to practice applying cybersecurity responses to real-world scenarios. They can be especially useful tools for helping an organization’s leadership and board members understand and evaluate how the company would react when faced with a cyberattack.

In order to help think through the challenges of modern bioproduction security, Google Cloud’s Office of the CISO assembled a group of 25 experts from 15 different government organizations and private enterprises for a tabletop exercise during Bio-ISAC’s recent Biosecurity summit. Our goal: Apply and share ideas and best practices about how to respond to these real-world challenges — without the real-world risk.

For Sheri Lewis, deputy mission area executive for global health, Johns Hopkins Applied Physics Laboratory, where they routinely lead tabletop exercises on behalf of the Department of Defense and other government agencies, two of the most important ways that tabletop exercises can impact their participants is by demonstrating the usefulness of facilitating communications and showcasing where communication gaps reside.

“In crisis situations, you want to know who is going to be at the other end of the phone. Having established relationships and strong partnerships within any community make crisis response situations easier, but when people come together in an exercise, like the one at the summit, it fosters future solutions,” said Lewis. “These opportunities help everyone understand who’s who and what they can bring to a problem — whether in response or innovation mode. When we apply that experiential learning to the bioeconomy, we’re able to merge the public health mindset with a cybersecurity mindset.”

Informed from historical and current adversary activity observed across similar production environments, the scenario we role-played immersed participants as key leaders of a fictitious biomanufacturing company, BioMiracle Inc. This company produces a critical and unique monoclonal antibody for ovarian cancer, and any disruption to its production can be life-threatening.

Divided into five groups with assigned roles spanning security, quality, manufacturing, and business, players were tasked with responding to a series of evolving cyber-physical events across their IT and OT networks. These appeared in the exercise as plot twists mimicking real-world scenarios where facts emerge dynamically, often altering initial assumptions and requiring participants to quickly evolve their response strategies.

Why problem-solving dynamics need to evolve

The exercise highlighted the problem-solving dynamics across the groups, which were made up of people from business, academic, and government backgrounds.

"The summit's tabletop pre-session from Google was eye-opening. Seeing all the diverse perspectives, having broad discussions, and having the context of the threat landscape facing biosecurity made it a much richer learning experience. I think there are many lessons to be learned from doing these types of exercises in this way. In the end, it's about turning theoretical understanding into actionable defense strategies against the complex threats we face,” said Whitney Zatzkin, co-founder and director, Bio-ISAC.

While the diverse team composition helped their distinct approaches to the plot twists, the exercise consistently surfaced three key observations across the groups on shared fate, “good” conflicts, and cognitive dead-ends. These observations led us to the following recommendations to make real-world security engineering and incident response more effective.

Embrace shared fate

Rather than falling into the trap of shared responsibility thinking, where the focus is on dividing ownership over the problem, we found more comprehensive problem solving with people adopting the shared fate model — where issues and conflicts are jointly owned and resolved, regardless of contractual boundary.

Take action: Use a collective approach in prioritizing security goals and integrate a wide range of perspectives. This includes dedicated security personnel, and also teams involved in quality assurance, manufacturing processes, business operations, and automation technologies. Invite key vendors to the table to build a shared experience of problem solving and establishing that culture of shared fate.

Foster ‘good conflicts’

Bring together stakeholders with conflicting points of view who can discuss their responses to problems, and work together to develop creative solutions.

Take action: Improve decision-making by using AI as an external reviewer in your process. Prompt it to evaluate the work of the team and provide feedback on the artifacts and outcomes. Ask, for example, "Gemini, what might our analysis be missing?”

Escape cognitive dead ends

Use a rubric, along with threat intelligence, ISACs, and AI to help tabletop exercise participants ask about the data they don’t know they’re missing — essentially, unknown unknowns — and get topical, relevant answers that can change the outcome of the exercise.

Take action: Apply hypothesis-driven and evidence-based reasoning with factual data and verifiable information over assumptions or preconceived notions. Use AI to monitor analytical processes for potential inadvertent biases that human reasoning might overlook. Supplement this analytic structure with threat intelligence and ISAC collaboration.

Take your tabletops to the next level

Conversational tabletop exercises can be powerful tools for bringing security and business leaders together. They can surface new discoveries about an organization, and serve as an initial foothold to explore many relevant avenues.

We can further enrich that experience by taking the tabletop exercise to a cyber range, where a conversational tabletop exercise can be combined with modeled systems that allow us to see data, make decisions, and evaluate the impact..

You can start incorporating tabletop exercises by following these six steps.

1. Define the scope of a TTX based on organizational goals and objectives.
2. Identify measurable outcomes from the engagement.
3. Engage security and business leaders and decision-makers in conversational tabletops.
4. Follow up by reaching out to the broader security and engineering teams with hands-on exercises.
5. Use AI agents and tools as personal assistants throughout the exercises as described above.
6. Perform an after-action analysis, and use the findings to improve the security posture in your organization.

At Google, we care about the technology, the social impacts that come with it, and how we can use technology to improve society. Google ThreatSpace is a cyber range with Google tools and infrastructure including Google Threat Intelligence, Google Security Operations, and Security Command Center. Designed by experienced incident responders and security leaders based on real-world experience and from the knowledge of more than 4000 active threat group tactics, techniques, and procedures, our exercises are based on real-world attack scenarios to rehearse and refine security engineering and incident response capabilities in a consequence-free environment.

Conversational tabletop exercises coupled with hands-on experience can break you out of cognitive dead ends by fostering collective problem solving, being essentially a shared fate practice space. It encourages good conflicts by using a red team, such as Google’s, and by subjecting your defenders to novel real-world attacks, tools, techniques and procedures, followed by after-action debriefing.

We invite you to incorporate these practices into your tabletop exercises. Participate in any ISAC or Google-led tabletop exercises with others, and consider adding AI and cyber ranges to deepen the experience. Tabletops can be a powerful tool for security leaders to identify strategic, operational, and tactical security gaps and mitigations.

Black Hat USA 2025 attendees can also check out our ThreatSpace workshop.