War gaming offers agencies methodology for assessing risk

Simulation technique should not be reserved for military operations, industry specialist says.

Civilian agencies should take cues from the military and use war game tactics to identify risks and assess recovery plans in case of emergency, whether a cyberattack or environmental disaster, said an author who specializes in the market.

War gaming methodologies that test an organization's ability to react to unforeseen threats traditionally have been reserved for military operations as a means for preparing for combat. The Army plans a particular invasion, for example, and a war game stages the possible responses to identify weaknesses in strategy and to help ensure troops are prepared. The Homeland Security Department also has relied on war gaming tactics, most notably with Cyber Storm, that simulate a large-scale coordinated cyberattack on the nation's infrastructure. In that example, the war game effort tests government's ability to protect its networks.

But war gaming, which looks at the what-ifs in assessing threats, is sometimes overlooked by smaller agencies that might not recognize the potential benefits, particularly in strengthening IT security, said Mark Herman, vice president at Booz Allen Hamilton. Herman leads the consulting firm's modeling, simulation, war gaming and analysis work, and recently wrote Wargaming for Leaders: Strategic Decision Making From the Battlefield to the Boardroom (McGraw-Hill, 2008).

"In IT -- cyber in particular -- there has always been a reliance on trend analysis," for identifying potential risk, Herman said. "There's a presumption that everything will work, and if someone does do something nasty to the network, we'll just figure out how to fix it and keep going. But that's not always going to work. Put multiple levels of stress on anything, and sooner or later it's just going to break."

As standard practice, agencies essentially should imagine the worst, and then put in place the necessary parameters to ensure they're well-protected, he said. Too often when deploying IT, according to Herman, agencies focus more on mission requirements -- ensuring processes can get done -- and less on the operational side of the deployment.

"That's what has me worried, because typically we don't have a clue," he said. "Can someone fly under the radar? What will [the agency] do if this particular event happens to cause the system to go down? Who has jurisdiction? The challenge is actually the antithesis of technology -- it's about humans."

War gaming forces individuals to look at the whole picture, Herman said, by bringing together all the stakeholders in a room and outlining the potential scenarios. The methodology is by no means specific to technology, he said, but can be used by any organization to assess risk and ensure proper contingency plans are in place. The Treasury Department could participate in a war game to define response to a theoretical global financial crisis, for example, or the Agriculture Department could participate in a war game to ensure a bad crop season doesn't cause a food supply shortage.

"As the situation unfolds, [participants] start to respond with questions and maybe realize that they're not very pleased with the outcome," Herman said. "Now, there's awareness, and everyone is in the same room to come up with solutions."