Knowledge and Tabletops

As defined by Wikipedia, the Curse of Knowledge is a cognitive bias that occurs when an individual, who is communicating with others, wrongly assumes they have the background to understand the communication. Just because you have mastered a subject doesn't mean everyone you communicate with has also. I often assume that my audience has the prerequisite knowledge to understand the information I am presenting. I am often wrong, which leads to frustration on both ends. This doesn't mean they are low intelligence, or unable to learn, it just means we have different backgrounds, experiences, and professions. An orthopedic doctor trying to explain bone density to me is going to get the same response as me trying to explain Network Address Translation to her.

I recently participated in a ransomware tabletop exercise at a local business. Initially, I was disappointed in the simplistic scenario presented by the consultant running the exercise. Uhh, so basic, I can't believe they are getting paid for this, I thought. But as the exercise played out, I observed that even such a basic scenario led to very productive conversation. In fact, the participants couldn’t have handled much more. Many of the stakeholders were not in the business of security, or Internet technology, and needed to be brought up to speed.

The curse of knowledge got me again. I allowed my mastery of the topic influence my opinion of the exercise and assumed the other participants had an equal or better understanding of ransomware and the incident response process. I had been through the scenario so many times, in both exercises and reality, that I had the answers. I wrongly assumed the others would also.

Tabletop exercises are a great way to equalize the level of knowledge. It educates the less experienced members of the team and reinforces the knowledge of the rest. And as this exercise demonstrated, it doesn't need to be a complex event.

Is your organization regularly conducting tabletop exercises and role-playing scenarios? If not, why?

If you are a small business or non-profit with a limited budget and can't afford a consultant-led exercise or don't know where to start – contact me and I'll point you in the right direction. If geographically feasible, I’ll come run one for you!

#cybersecurity #infosec