Cybersecurity Policy Exercises


Within the ”International Cybersecurity Policy” cluster, SNV designs and conducts cybersecurity exercises and scenario workshops. Cybersecurity exercises generally offer an interactive learning experience and allow for a better understanding of existing policies, their implementation, and their impact. Please see our policy brief on “Cybersecurity Exercises for Policy Work” for more information on cybersecurity exercises and their benefits.


Country-specific Cybersecurity Policy Exercises 

One of the products the SNV designs and facilitates are so-called “cybersecurity policy exercises in country-specific contexts.” In this regard, SNV experts engage with stakeholders from different countries to design and facilitate (virtual) cybersecurity policy exercises custom-tailored to the individual context.

In the one-day exercise format, participants will have to choose a coping strategy while a large-scale cyber incident develops. Before the exercise, participants get the opportunity to develop the specific goals of the respective exercise in a multi-stakeholder pre-exercise-workshop. The exercise can thus, for example, support the cooperation of different national institutions by practicing information sharing and joint analysis of an incident. SNV staff is adapting the exercise format according to the goals and country-specific context identified in the pre-workshop, for example, to design the scenarios as realistic as possible. Therefore, country-specific exercises are usually part of a broader project.

Currently, the SNV is implementing exercises commissioned by the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) and financed by the German Federal Ministry for Economic Cooperation and Development (BMZ) with stakeholders from Rwanda, Kenya, South Africa, Jordan, Mexico, Ghana, and Ivory Coast. In cooperation with Konrad Adenauer Foundation Costa Rica, SNV is facilitating a country-specific exercise with stakeholders from Costa Rica



Country Background Research 

In order to adapt the exercises to specific countries, it is important to understand the broader strokes of cybersecurity policies of other countries. Our team, therefore, researches publicly available information on cybersecurity policies of countries in order to adapt the exercises to country-specific needs. The background research, for example, answers open questions that are relevant for the design and implementation of the exercise, for instance, whether there is a mandatory reporting procedure in the event of an incident, which would influence the participants’response process to a fictional incident. The documents published here are a summary of the publicly available information on the fundamentals of a country’s cybersecurity policy.

DISCLAIMER: The research only represents a country's cybersecurity policy to a limited extent and is not an in-depth or complete analysis or assessment of current policy.

The research will be shared with participants as background material in preparation for the exercise. Therefore, the documents have a timestamp and will only consider policy up until the date of publication. In the interests of non-profitability, we decided to make the background research publicly available. If you are using these materials, please include the disclaimer. Please do not hesitate to contact us.

South Africa Country Profile (PDF)

Kenya Country Profile (PDF)