Using Wargaming to Model Cyber Defense Decision-Making: Observation-Based Research in Locked Shields




Decision-making, Defensive Cyber Operations, Wargaming, Locked Shields


Defensive Cyber Operations (DCO) in complex environments, such as cyber wargames, require in-depth cybersecurity knowledge and the ability to make quick decisions. In a typical DCO, execution rarely follows a pre-planned path because of extensive adversary influence, challenging an already complex decision-making environment. Decision-making models have been extensively studied from perspectives of military operations and business management, but they are not sufficiently researched in the context of cyber. This paper responds to this need by examining the decision-making models of DCO leaders in a live-fire wargame environment. This study was conducted by observing leaders of cyber operations during the world's largest live-fire cyber exercise, NATO Locked Shield 2023. In this exercise, the blue teams plan and execute their defensive cyber operation in a realistic operational environment, while the red team conducts attacks against the defended environment. The large-scale, wargaming-style environment of Locked Shield is one of the best environments for modelling DCO decision-making models; in this exercise, the DCO is broad and multi-faceted, a perspective which cannot be achieved in a typical capture-the-flag competition or a single security incident. DCO leaders must be able to manage two distinct decision-making processes with different sets of required skills to be successful in the mission. While the primary process relates to the execution and evolution of the pre-designed plan with traditional operational leadership skills, the secondary process deals with unplanned and deliberately caused cyber-related events that require a deep understanding of cybersecurity. In this respect, the main contribution of this research is the constructed decision-making model of the DCO leader. This model is based on observations collected and presented in the context of multiple well-known decision-making frameworks. This model can be further used to train future DCO leaders and assess artificial intelligence's usability to support and automate decision-making in such operations.


Author Biographies

Pietari Sarjakivi, University of Jyväskylä, Jyväskylä, Finland

Pietari Sarjakivi is a PhD researcher at Jyväskylä University and Director of Cyber Research at DNV Group Research and Development. He has over 15 years of experience in both defensive and offensive operations within critical infrastructure and businesses. As an active reservist, he has been leading the winning Finnish blue team in the NATO Locked Shields in 2022. His research focuses on Artificial Intelligence in Cyber Operations.


Jouni Ihanus, University of Jyväskylä, Jyväskylä, Finland

Jouni Ihanus holds an M.Eng. in technology competence management and M.Eng. in cyber security. He is currently a Ph.D. student at the University of Jyväskylä, Finland. His research focuses on cyber situation awareness with a technological twist. In his professional life, Jouni leads operational information security in a Finnish public administration organisation. Jouni is passionate about developing and simplifying areas where people and technology meet, which he sees as one of the central challenges of the modern world.


Panu Moilanen, University of Jyväskylä, Jyväskylä, Finland

Dr. Sc. Panu Moilanen is senior lecturer and degree program manager for the Security and Strategic Analysis MDP at the Faculty of Information Technology, University of Jyväskylä (Finland). His teaching and research interests are the role of technology as part of the security of today's increasingly complex societies, information influence and warfare, cyber security, and resilience. He also works for the National Defence University (Finland) and National Defence Training Association of Finland.