Your primary IT system goes offline due to a coordinated cyber attack during a regional conflict. How does your organisation continue operating?

Disruption of IT during a crisis is expected. Organisations with tested manual fallbacks and documented BCPs recover significantly faster.

• A We improvise manually but have no documented fallback.
• B We stop — all our processes depend on that system.
• C We have a tested BCP, offline procedure guides, and a secondary system that activates automatically.
• D We have a documented business continuity plan and can switch to manual processes.

A prolonged power outage is expected to last 72 hours during a national crisis. How prepared is your organisation?

Power resilience is a foundational requirement during conflict or disaster. A tested generator and fuel reserve strategy is the minimum for critical organisations.

• A We have tested generator capacity, fuel reserves, and a prioritised system list to sustain operations beyond 72 hours.
• B We have a UPS that lasts a few hours but no longer-term backup.
• C We have no power backup — operations would cease entirely.
• D We have a generator covering critical systems for up to 48 hours.

During a crisis, your corporate email and messaging systems are disrupted by a DDoS attack. How does your leadership team communicate?

Attackers often target communications first. Pre-agreed out-of-band channels and a tested crisis call tree are essential before a crisis hits.

• A We have a tested crisis communications plan with encrypted channels, call trees, and designated spokespersons.
• B We have pre-agreed out-of-band channels (e.g., Signal, satellite phone) for key staff.
• C We use personal mobile phones and hope networks remain available.
• D We have no alternative — communication breaks down entirely.

There is credible evidence that a nation-state actor is intercepting your organisation's communications. What do you do?

State-level interception is a real risk during conflict. Moving quickly to end-to-end encrypted tools and limiting sensitive discussion to need-to-know is critical.

• A We activate a pre-planned COMSEC protocol, move to encrypted tools, review recent communications for exposure, and brief all relevant staff.
• B Nothing — we don't know how to respond to this.
• C We switch sensitive communications to end-to-end encrypted tools and brief key staff.
• D We tell staff to be careful but take no technical action.

Destructive wiper malware, believed to be state-sponsored, has encrypted and deleted data across your network. How quickly can you recover?

Wiper malware is a signature tool of state-sponsored conflict operations. Immutable, air-gapped backups with a tested recovery playbook are the only reliable defence.

• A We have backups, but they're on the same network and are likely compromised too.
• B We have offsite backups and can recover within 24–48 hours.
• C We have no backups — the data is permanently lost.
• D We have immutable, air-gapped backups with a tested recovery playbook and an RTO under 4 hours for critical systems.

How often does your organisation test its disaster recovery plan?

An untested recovery plan is not a recovery plan. Regular drills reveal gaps before a real crisis does.

• A We test quarterly, run tabletop exercises, and track RTO/RPO metrics against defined targets.
• B We've never tested it — or we don't have one.
• C We test annually and update documentation after each test.
• D We tested it once when it was first written.

Credible intelligence indicates your sector is being actively targeted by a state-sponsored group using spear-phishing. What is your immediate response?

Operationalising threat intelligence quickly — pushing IOCs to controls and briefing staff — is what separates organisations that detect attacks from those that discover them weeks later.

• A We don't receive threat intelligence and wouldn't know where to start.
• B We brief staff, tighten email filtering, and monitor for related indicators of compromise.
• C We forward the warning to IT and hope for the best.
• D We operationalise immediately — push IOCs to all controls, brief department heads, increase monitoring, and alert staff within hours.

A key technology vendor has been compromised in a supply chain attack linked to a hostile state. The backdoor may have been active for months. What do you do?

Supply chain attacks are one of the most effective techniques used by state actors. Knowing what access each vendor has — and being able to revoke it fast — is essential.

• A We don't know which vendors have access to our systems.
• B We immediately audit what access the vendor had, revoke credentials, and conduct an internal investigation.
• C We disconnect from that vendor's systems and wait for their guidance.
• D We follow a vendor compromise playbook: revoke all access, run forensics, notify regulators if required, and validate all vendor-supplied code.

A major cyber attack has disabled your organisation's core systems during a national crisis. Who makes the decisions and how are they coordinated?

Clear command structure during a crisis prevents conflicting decisions, delays, and missed actions. An Incident Commander with defined authority is critical.

• A A designated Incident Commander coordinates technical and business teams using a documented process.
• B There's no clear owner — people try to fix things independently.
• C The IT manager makes decisions alone, often without leadership visibility.
• D A pre-defined Crisis Management Team activates immediately, with an Incident Commander, executive sponsor, and structured leadership updates.

Following a major cyber incident during heightened geopolitical tension, your CEO asks for a situation report within 30 minutes. Can your team deliver it?

Executive visibility during a crisis determines how quickly resources and decisions are mobilised. A standard reporting format prepared in advance is the difference between 30 minutes and 3 hours.

• A We could produce something, but it would take hours and may be incomplete.
• B We have a status update template and can provide a brief within 60 minutes.
• C No — we have no standard format or escalation path.
• D We have a structured reporting format and a dedicated communications lead, and can deliver an accurate brief within 30 minutes.