查看文章

In recent years there has been a large increase in advanced computer attacks targeting Norwegian authorities and businesses. At the same time there is a great shortage of trained and qualified personnel within cyber- and information security. To fill this demand supply gap there has been an increased focus to educate new personnel through exercises and training. Running the training and exercises in a realistic and safe environment is a demanding task, which requires a well-trained Exercise Control (EXCON) team. In this paper we present results from in-depth interviews which were conducted with information security and/or exercise experts from different Norwegian organizations with relevant EXCON experience and suggest a future train-the trainer concept to meet the challenges found in the study. The result from the research shows that the development of exercise control teams is not prioritized by organizations, and not given time or resources for education or team development. Being part of an exercise control teams is a side job where organizations mostly rely on hiring external experts. Another key finding in this research is the importance of exercise planning competence amongst the exercise control team, for the exercises to be successfully executed. Results from the study also shows that a core team of experts is necessary to continuously improve exercises, and that there is a need for these experts to participate in the preparation for exercises.