Start your day with intelligence. Get The OODA Daily Pulse.

Home > Analysis > CISA Provides Scenario Planning/Strategy Foresight “Secure Tomorrow” Toolkit

The OODA team has participated in “wargame” and red team exercises for over 25 years ranging from traditional DoD Office of Net Assessment games to scenario planning for the Fortune 500.  We have personally witnessed these exercises’ impact on establishing appropriate frameworks for thinking about future risks and opportunities.  During one of our OODA Network monthly calls in 2021, members proposed that the OODA Network could be utilized for rapid wargaming on critical issues, with members suggesting the first be on the global computer chip supply chain.

In November 2021, A report was the outcome of our first OODA wargame, which we have branded as a Stratigame (Strategic Game), focusing on the global computer chip supply chain issues.  Over 25 members of the OODA Network of Experts participated in this Stratigame where the OODA research team developed four scenarios and then led a structured discussion in which experts provided unique insights into potential impacts of these scenarios, adjacent risks, and opportunities, and recommended actions that would allow us to avoid the negative effects of a particular scenario or nudge us into a more favorable scenario.

Over the course of 2022, we will return to the foresight strategy and wargame disciplines, providing our membership with research and analysis from the global community of practitioners and thought leaders using these strategic foresight framework and methodology as their organization’s strategic toolkit for decision intelligence and risk awareness and mitigation.

CISA’s National Risk Management Center Secure Tomorrow Series Toolkit

In our monthly meeting, more often than not, on a variety of issues of concern for our membership, OODA Network members express concern for the resources available to small and medium-sized businesses (SMBs) to meet the challenges at hand.  Having worked in both the federal government and the private sector, they know that cybersecurity tools available at scale matter.  What are SMBs to do if they are cybersecurity resource-poor?

Soo in the world of foresight strategy and scenario planning.   Royal Dutch Shell and the U.S. Department of Defense are legendary purveyors of scenario planning tools and methodologies – but, again, at the corporate strategy and DoD budget scale.  Done properly, foresight strategy can be time-consuming and, more importantly, requires a time commitment of human resources in a commitment to cross-functional insights.  For SMBs, the tools feel out of reach in a very corporate sort of way.

In this context, our mind was kind of blown when, In April, CISA’s National Risk Management Center released the first Secure Tomorrow Series Toolkit “to assist stakeholders across the critical infrastructure community to self-facilitate and conduct strategic foresight activities that will enable them to derive actionable insights about the future, identify emerging risks, and develop risk management strategies that, if taken today, could enhance long-term critical infrastructure security and resilience to implement now.”

Central to the Secure Tomorrow Series effort is the selection of topics that are likely to have a highly disruptive impact across multiple National Critical Functions. To this end, the National Risk Management Center worked with subject matter experts from academia, think tanks, the private sector, and the National Labs to help build and refine the knowledge base that underlies the Toolkit activities.

These free voluntary resources are available to stakeholders in every critical infrastructure sector. More specifically, the Toolkit will assist users in identifying and examining risk mitigation strategies, managing uncertainty, and encouraging strategic foresight methods in their long-term planning.

This first iteration of the Toolkit focuses on three areas, which are very on topic for OODA Loop membership:

  1. Anonymity and privacy
  2. Trust and social cohesion, and
  3. Data storage and transmission.

What Next?

CISA’s National Risk Management Center is working to develop the next iteration of the Toolkit focused on the following topics:

  1. Synthetic biology
  2. Brain-computer interface (BCI);
  3. Mis-, dis-, and malinformation (MDM); and
  4. quantum technologies (to include computing, communications, and sensors).

The next Toolkit will be available later this year.

In the meantime, the first version of the toolkit is available to the general public.  We include the entirety of CISA’s instructions and links to various tools here for your organization to get started using them in your strategic planning.

TOOLKIT ACTIVITIES

The Toolkit provide a powerful means of increasing risk awareness, identifying risk mitigation solutions, and encouraging systems-level thinking and long-term planning. Specifically, it contains game templates; facilitator, player, and controller guides; read-ahead materials, and other materials needed for users to self-facilitate four different activities:

  • Scenarios workshop: Participants explore four different future scenarios (Life Under a Microscope, A Fragmented World, Deep Disinformation, and A New Wave of Cooperation), and identify a set of strategies that would most effectively mitigate risk across all the scenarios.
  • Threat timelines activity: Players generate fictional news headlines that describe future security threats to a particular technology or system. Through these headlines, players think about plausible futures, reflect on potential threats to critical infrastructure security and resilience; and identify corresponding mitigating actions that can be put into motion today.
  • Matrix games: Players tackle incidents and trends that could negatively affect the U.S. in the future and debate strategies to mitigate accompanying risks to critical infrastructure security and resilience.
  • Cross-impacts sessions: Participants brainstorm ideas on how key risk drivers to the three topics might affect different NCFs.

By downloading the Toolkit, users will learn how to conduct foresight activities that will enable them to derive actionable insights about the future, identify emerging risks, and proactively develop corresponding risk management strategies they can implement now.

GETTING STARTED WITH THE TOOLKIT

The Toolkit includes guides to facilitate each activity. The number of participants and time requirements vary for the four activities. A matrix game takes 3 hours to play with 3–5 participants, whereas a scenarios workshop is a full-day activity involving between 30–40 participants.

As a starting point, please review the Scenarios Workshop Synopses about future risks, and then consider the Threat Timelines as a warm-up activity, and then move on to explore the Matrix Games and Cross Impacts depending on time and participant needs and interest.

Scenarios Workshop

Participants will explore four different future scenarios to help participants explore ways in which the operating environment for owners and operators may evolve and how this evolution may affect the security and resilience of critical infrastructure systems. Participants will learn how identify a prioritized set of risk mitigation strategies that will increase critical infrastructure resilience and security, regardless of future uncertainties.

Minimum Number of Participants Required: 30-40 participants

Time Estimate: 8 hours

Threat Timelines

Players will generate fictional news headlines that describe future security threats to a particular technology or system to think about plausible futures, reflect on emerging and evolving threats to critical infrastructure security and resilience, and identify corresponding mitigating actions that could be put into motion today.

Minimum Number of Participants Required: 4-6 participants

Time Estimate: 1-1.5 hours

Matrix Games

Players will tackle incidents and trends that could negatively affect the United states in the future, and debate strategies to mitigate accompanying risks to critical infrastructure security and resilience. Participants will engage and challenge each other to think strategically about critical infrastructure resilience and preparedness from multiple perspectives.

Minimum Number of Participants Required: 3-5 participants

Time Estimate: 2.5 hours

Matrix Game: Data Privacy, Storage, and Transmission

Matrix Game: Trust and Social Cohesion

Cross-Impacts

Participants focus on how emerging and evolving risks and key drivers of change might affect different National Critical Functions in distinct ways. Participants will come away with a better understanding of the ramifications of these drivers of change for different critical functions.

Minimum Number of Participants Required: 8-12 participants

Time Estimate: 4 hours

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.