This guide aims to help you choose an appropriate scenario, to select when scheduling an exercise. Consider which risk areas you'd like to exercise, as well as your learning outcomes - we have different scenario types, each with a different exercising focus.
Search by risk area
Our scenarios have been created to cover a variety of risk areas. These represent a range of human-related security vulnerabilities and include:
- Authentication
Actions and processes related to verifying the identity of a user, such as using complex passwords and multi-factor authentication.
- Physical security
Actions and processes related to protecting assets and people from physical attacks and unauthorized access, such as building entry procedures, locking doors and cabinets, being aware of onlookers, and using privacy screens.
- Device security
Actions and processes related to securing laptops, smartphones, and other connected devices, such as connecting to insecure WiFi, using a VPN, installing updates promptly, and not plugging personal or unknown devices into work devices.
- Browsing securely
Actions and processes related to safe online browsing include responding to browser security alerts and checking for security information on websites (such as https) before making payments.
- Data handling
Actions and processes related to collecting, storing, using, and disposing of data, including sharing that data with others and considering data privacy.
- Security reporting and responsiveness
Actions and processes related to reporting security incidents, data breaches, or suspicious activity and responding proactively to security threats, such as changing passwords quickly following a potential breach.
- Digital footprint
Actions and processes related to managing an individual's online presence, such as using appropriate privacy settings on social media, not sharing information publicly, and identifying online information risks.
- Social engineering
Actions and processes for detecting and preventing malicious influence and deception attempts, such as spotting phishing emails and verifying callers and messages.
You can find the risk area that each scenario covers in the catalog, when browsing for scenarios. Most of our scenarios cover between one and three risk areas, but some cover four or five risk areas at once. These can be useful to get a quick overview of participants' performance in relation to a range of security behaviors.
Browing scenarios by risk area allows you to streamline and target interventions where you need them most.
Workforce Exercising catalog: understanding scenario types
The Immersive Labs Workforce Exercising catalog contains several different types of scenarios. These include:
- Standard scenarios - these scenarios typically cover between one and three risk areas. They are written with a rich, realistic narrative, from the point of view of a single character, and the participant makes decisions based on an evolving storyline.
- Multi-role scenarios - these scenarios are similar to standard scenarios except that the participant plays different characters at different points in the story. This means that they make decisions across multiple job roles, as the storyline evolves.
- Baselining scenario - an assessment-focused scenario. We recommend assigning this scenario at the beginning of your exercising journey to collect baseline data, identify priority areas for interventions, and monitor your human cyber risk profile over time.
- Template scenario - a standard scenario that follows a narrative storyline but requires customization. Whilst all of our scenarios can be customized, this type of scenario requires this and cannot be run without customization. Fill in the blanks to replace business names, logos, contact details, rich media, and more, to personalize the scenario to your organization.
- Policy and regulation scenarios - these scenarios focus on exercising in relation to specific regulations or standards which are reflected in scenario titles (e.g., ISO 27001, Digital Operational Resilience Act).
- Phishing assessment scenarios - these scenarios are solely focused on social engineering, with participants facing multiple decisions related to phishing, smishing, vishing, etc. These scenarios do not follow a standard narrative; instead, there is a focus on assessment and ability to 'spot the phish'.
Browse our catalog of scenarios here:
Workforce Exercising Catalog
You should check that you’re happy with the content of scenarios and response options before assigning them to individuals. You may want to change aspects of the content and options to suit your organizational environment and relevant processes and policies.
For support in customizing content, see: creating custom scenarios.
You should also consider whether employees may benefit from working through related upskilling labs before exercises. This is likely to depend on the current knowledge level in your organization for particular topics.
Wondering how to assign content? See our assigning lab collections and career paths guide.
Your journey through our content
Start with our Security Hygiene Compass scenario
We suggest that all organizations start their exercising journey with our baselining scenario, the Security Hygiene Compass. This scenario is longer than the others, but it covers all of the eight risk areas and has been designed to collect data in a robust and systematic way. This will help you to understand your current risk profile and identify areas where further upskilling or exercising may be necessary. It’s up to you how often you run this exercise, but we recommend running it at least annually to provide a consistent monitoring point over time.
Based on the results of this exercise, you can decide where best to target any upskilling efforts that may be required. This may include assigning labs on specific topic areas, or more in-depth scenario exercises based on these topic areas. Scenarios and labs are designed to be completed in around 10 minutes to fill the gap between meetings. To maintain engagement, we recommend little and often in terms of assignment; for instance, a different scenario could be assigned bi-monthly or quarterly.
In addition to the Security Hygiene Compass, we suggest focusing on those areas that are most important to your organization, considering current threats facing your sector or organization, previous incidents, or areas that you have particular concerns about. You may also wish to roll out exercises as part of a wider programme of planned security awareness campaigns.