Cyber exercises enable the effective training of cyber security skills in a simulated, yet realistic, environment for a wide variety of professional roles. However, planning, conducting, and evaluating customized (i.e., non-standard) cyber exercise scenarios involves numerous time- and resource-intensive activities, which are still mostly carried out manually today. Unfortunately, the high costs related to these activities limit the practical applicability of cyber exercises to serve widely as a regular tool for skill development. Cyber exercise scenarios typically involve a sequence of predefined and carefully planned injects (e.g., events) that are rolled out sequentially, driving the progression of the exercise. The composition of such injects resembles a linear process in its simplest form. Therefore, we argue that the utilization of existing, standardized, and well-researched methods from the business process domain provides opportunities to improve the quality of cyber exercises and at the same time reduce the workload necessary for planning and conducting them. This paper reviews the challenges related to conducting customized cyber exercises and introduces a process-based cyber exercise lifecycle model that leverages the power of process modeling languages, process engines, and process evaluation methods / metrics to transform cyber exercises into transparent, dynamic, and highly automated endeavors. Therefore, the approach presented utilizes process modeling to plan cyber exercise scenario in a structured and flexible manner, enabling the creation of dynamic paths that adapt to participants’ actions. These process models are directly executed by process engines, which automate the rollout of injects and collect detailed logs for evaluation purposes. We further describe the application of this lifecycle model in course of a proof-of-concept implementation and discuss technical insights as well as lessons learned from its utilization at a large-scale national cyber exercise together with CERTs and authorities. While the state of the art mostly focuses on optimizing individual tasks or phases within the cyber exercise lifecycle, our contribution aims to offer a comprehensive integrated framework that spans across the phases, providing interfaces between them, and enhancing the overall effectiveness and maintainability of cyber exercises. Further, we are discussing implications of using our approach, identifying opportunities for creating interactive cybersecurity training environments, automated feedback mechanisms and interconnected cyber range exercises.
See https://doi.org/10.1007/s10207-025-00993-6 (externer Link, ?ffnet neues Fenster)