The actual incident we chose for our first attempt to design a framework was the APT-attack “Operation Socialist” making international headlines in September 2013. Operation Socialist was the code name given by the British signals and communications agency Government Communications Headquarters (GCHQ) to an operation in which they successfully breached the infrastructure of the Belgian telecommunications company Belgacom (now Proximus Group) between 2010 and 2013.

We did a root cause analysis on this incident using four different socio-technical models. Those models were chosen based on the different approaches they have, to see if any or all of them could be relevant for making scenarios for exercises.

The responsible of the technical operations are often considered to be within the organization. However, most organizations today are complex and cannot perform all technical tasks by themselves. By entering into contracts and service level agreement of various sort, the companies have other people and organizations to run their technical operations and are therefore bounded by agreements and thereby regulations. Withford & Zaic describe four different system levels to analyze requirements for technical operation with WOSP (Web of System Performance) (Whitworth & Zaic, 2018) : Hardware requirements, software requirements, human requirements and communal requirements. They define WOSP as a theoretical framework for the balanced design and evaluation of advanced information systems. The framework analyses performance via four fundamental system elements: Boundary, internal structure, effectors and receptors. As this is organizational issue, we considered this model relevant when designing scenarios for discussion exercises.

The four quadrants used in the proposed framework are modeled after the naive socio-technical system dynamic mental model proposed by Kowalski (Kowalski, 1994) . Kowalski's mental model attempts to describe how systemic security weaknesses in socio-technical systems can be analogized as homeostatic imbalance. Homeostatic imbalance is the disability of the internal environment to remain in equilibrium in the face of internal, external and environmental changes (Pelletier, Guertin, Paige Pope, & Rocchi, 2016) . Homeostatic imbalance is a concept that we suggest can also be used with scenario building to model the inability of an organization to face internal and external cyber threats.

The Security by Consensus model (SBC), is a model that attempt to capture the static and dynamic characteristics of ICT systems security (Kowalski, 1994) . Moreover, the model sub-divides security measures into subclasses. The holistic approach required the issue of IT crime be examined, and the model was used to make computer abuse reports. Such reports are relevant on the strategic level and as a method to define action points in the organizations, and thereby likely to be relevant for table-top scenarios.

In the Norwegian Cyber Range project, we also plan to run full-scale exercises in Norway. Cassano-Piche et. al. Socio-technical systems analysis of the BSE Epidemic in the UK using the Rasmussen framework helped vertically integrate a socio-technical root cause analysis of Mad Cow Diseases across multiple levels and hierarchies of socio-technical system in the United Kingdom as a whole (Cassano-Piché, Vicente, & Jamieson, 2006) . Consequently, we believe it can be used to design scenarios for large scale cyber security incidents and events in Norway.

Suggested modelling four quadrants used in the proposed framework are modeled after the naive socio-technical system dynamic mental model proposed d by Kowalski (Kowalski, 1994) . As mentioned before, homeostatic imbalance concept can be used with scenario building. Therefore, the model suggested consists of the four socio-technical aspects suggested by Kowalski (Kowalski, 1994) :

First, we tried to see where scenarios for exercises could fit our socio-technical model. There are several types of exercises, and in this paper, we have used the exercise-definitions outlined by the Norwegian Directorate for Civil Protection (DSB): discussion exercises, functional exercises, simulation exercises and full-scaled exercises. A discussion exercise is executed under different kind of names, for example, tabletop, dilemma-exercises or seminar-exercises (DSB, 2016b, 2016c, 2016d, 2016a) . In a discussion exercise, all participants gather in one room and all communication happens within this room. Inputs are given oral or on paper/screen/canvas sheets. All activity is to focus around discussion on concept and ideas and no concrete action or communication outside the exercise is needed. The participants are not to play or simulate, but to discuss specific and generic problems related to the scenario presented by the instructor. Function exercises is a collective name for exercises that test one or more functions within the organization (DSB, 2016b) . It might be technique, organization or capabilities. Attending a function exercise, it is more about what to exercise than how the exercise is done. Function exercises are also referred to as procedure exercises. A simulation exercise consists of two elements: The attenders and the simulation counterparts (DSB, 2016d) . A simulation exercise can be illustrated as if the game is running within a “closed bubble”, where the participants are staying in the inner bubble and the counterparts surrounding them. The participants will normally stay in their accustom premises, with their normally accessible tools and equipment. The simulation counterparts are staying in other premises, and control the game based on a planned scenario. The purpose is to convey a message with a certain effect to the participants. A full-scale exercise consists of all the elements in a simulation exercise, and functions, normally on a tactical level doing practical work (DSB, 2016a) . A full-scale exercise is always real time. You use the same equipment as you normally have access to, and exercise in the places you normally are working.

For each kind of exercise, we need relevant scenarios. A scenario is a summary of the plot of a play, including information about its characters, scenes, or a predicted sequence of events (The free dictionary, by Farlex). The common way of making scenarios is to find out who is participating in the exercise and make the scenario relevant for the participants. For example, in 2017, a group from NTNU, CCIS, The Norwegian Cyber Defence and the Norwegian Civil Defence made a table-top cyber exercise for the Oppland County Office management group and for the county readiness council. We made the scenario based on the participants and their responsibility. The scenario was based on what can happen in the society more than what has happened, and it was all made up by ideas. As a reflection after the exercise we asked ourselves if there are relevant theories to approach these kinds of scenarios in a better way, and we could not find any relevant theories on this specific matter.

Large companies have a similar approach for creating scenarios to run exercises. Telenor is running annual full-scale cyber exercises including participants and observers from the Norwegian Armed Forces, The Norwegian Police, The Norwegian National Security Authority and other invited participants. The scenarios are meant to reflect true-to-life cyber incidents the organization faces and put the participants to the test. Experiences and lessons learned build operational, tactical and strategic competence and improve the participant’s organizations in facing and managing cyber security incidents. Telenor has similar idea-based approach for making scenarios for exercises.

By considering either Structure, Methods, Machines or Ethical/Legal i.e. culture in the scenario for exercise build, we can determine where different exercises would be useful. Moreover, by having performed a root cause analysis and thus determined the underlying “real”, that is major and sine qua non - reasons for the cyber-attack, building an appropriate scenario based on this could prove more accurate, give higher learning quality/effect and more cost effective.

To exemplify this approach, we have discussed the NATO exercise Trident juncture executed in and hosted by Norway in 2018. The main scenario was made for the fullscale exercise within a 3-week timeline. The strategic part of the exercise was kept outside the full-scale exercise and started instead at the end of the full-scale exercise timeline. The scenario for the strategic part of the exercise was in this case based only on structure and methods. The scenario for the NATO exercise would in this case be placed both in an overall context in the model, but the strategic part of the exercise would be placed in the upper right part of the model.

When planning for the annual exercise at the Oppland county readiness council in 2017, the exercise's theme was a cyber-attack against municipalities ICT-systems (Oppland Arbeiderblad, 2017) . The county readiness council was given step-by-step information about the scenario and had round table discussions based on those inputs. The discussions were based on the structure in the organizations, laws and regulations and ethical issues (amongst others) – a typical discussion exercise that would be placed in the upper left corner in our model.

When testing systems such as fire alarm systems, it requires a certain methodology and actual use of machines. Fire-alarm exercises is typical functional exercises and you will be placed in the lower right corner in our model. Other known exercises that is based on methodology and machines is cyber mega games, better described as simulation games.

When analyzing the outlined DSB’s definitions of exercises, we found that there is not any definition on cultural and machine exercises (lower left corner of our model). However, there are examples of real-life incidents which has been used in teaching strategic and ethical exercises, such as the Therax-25 case (Computing Cases, 1983) . We consider this as an area of which can be developed better in combining exercisedefinitions and scenarios and have presented this in our future research chapter.

Our scenario for exercise perception is shown in figure 2.

Belgacom operates a substantial number of data links internationally and it serves millions of people across Europe as well as officials from top institutions including the European Commission, the European Parliament, the European Council and the NATO HQ Europe. When Belgacom’s internal security team began to suspect that their system was infected with a virus, they hired in outside experts, and after a while the Belgian military intelligence to handle the situation (Marquis-Boire, Guarnieri, & Gallagher, 2014) . Some anomalies where detected already in 2012, but Belgacom's security team was unable to identify the cause.

The operation's existence were revealed in documents leaked by the former National Security Agency contractor Edward Snowden in 2013. The malware disguised as legitimate Microsoft software, where identified as the source of the problems. The leakage stated that it was the Government Communications Headquarters (GCHQ) who had infiltrated Belgacom’s systems. GCHQ is the British intelligence and security organization responsible for providing signals intelligence (SIGINT) and information assurance to the government and armed forces of the United Kingdom. According to the leaked documents, from Snowden, GCHQ had probed Belgacom's infrastructure for years. Additionally, the documents suggested that Operation Socialist had been recognized by the head of the GCHQ's Network Analysis Centre as a success. Snowden subsequently described Operation Socialist as the "first documented example to show one EU member state executing a cyber-attack on another…" (Marquis-Boire et al., 2014) .

According to the leakage, GCHQ had been able to get access to vital data within the mentioned organizations. This led to both political and organizational difficulties for multiple stakeholders.

GCHQ had allegedly used Quantum Inserts technology to target Belgacom and GPRS roaming exchange (GRX) providers like the Comfone, Syniverse, and Starhome. Quantum Insert is the process of injecting TCP sessions into a TPC stream and sending the victim in the wrong direction towards a malicious website that infects their computers with malware at lightning pace (Marquis-Boire et al., 2014) . The combination of an IP address and a port is strictly known as an endpoint and is sometimes called a socket. A TCP connection is defined by two endpoints a.k.a. sockets. The Quantum Insert attack started by finding that way into the Belgacom systems by targeting their engineers use of passwords on LinkedIn (Marquis-Boire et al., 2014) , the APT killchain was as follows: • Reconnaissance: The APT choose targets of interest and surveil for a period their use of services on the internet, i.e. Belgacom system administrators active on LinkedIn. • First stage: Drivers which act as loaders for a second stage. When started loading, loads and executes stage 2. • Second stage: When launched it cleans traces of the initial loader, and then loads the next part and monitors its execution (NB! May disinfect by failure). • Orchestrator: Service orchestrator working in Windows' kernel. Loads the next part of the malware. • Information harvesters: Include data collectors, self-defense engine, functionality for encrypted communications, network capture programs, and remote controllers of different kinds. • Stealth implants: Pointers that reference specific locations in memory. Difficult to find, as it is very much alike pool scanning from kernel memory (used by Windows).

Technically Quantum Inserts are categorized as “man-on-the-side attacks” which is a subcategory to “waterhole attacks”. As such APT-attacks are very difficult to discover, the exact time of when the stealth implants were in place is uncertain, but the investigators suggested an approximately startup in 2010. The Intercept summered up the story timewise in 2018 (Gallagher, 2018) . The timeline of the incident is shown in figure 3.

One of the models we used for analyzing the case was the BSE Structural Hierarchy model based on Rasmussen structural hierarchy model (Cassano-Piché et al., 2006) . In this paper it is presented as an acci-map. An acci-map is a systems-based technique for accident analysis, specifically for analyzing the causes of accidents and incidents that occur in complex Socio-technical systems. In figure 4 we present the different layers in the society in the left column, then some analyzed impacts in the second column and a flow-chart to show how events relate to each other in the right column.

We analyzed what impact the incident had on the different layers and moreover used the flowchart to show how decisions were made and had impact on other layers both in Belgacom and in other societal organizations.

The socio-technical models appear useful in understanding and defining training scenarios as it gives us a good indication on both social and technical challenges from real life cases.

The SBC Model appears to be a good model for making scenarios for table top exercise regarding the Belgacom incident, since it helps to indicate were the organization is vulnerable from a strategic level within the organization. By using the SBC model, we can make exercise that show the relationship between different both technical and social functions within (in this case) Belgacom, and a scenario could be made to support this.

For Kowalski’s socio-technical model we choose organizational and national level, but we think that for writing scenarios, we could have chosen both local government and other third-parties. We figured this model would be excellent for making scenarios for discussion exercises and table-top exercises. This model gives the instructors/trainers possibility to both focus and train the company and a third party. The idea of the model is though in a continual state of surface flux, it is also striving to reach a state of equilibrium or homeostasis (Kowalski, 1994) . In our incident, this means that when we find the weakest link in the model, which might be the place to start modeling a scenario for exercise, by using this model, you may end up with different kind of scenarios and exercises.

The BSE-model with the flow-chart shows how well aligned the different events are between different levels in this hierarchy, and we also see a scenario involving all these levels. This model shows that all levels are connected and gives us the reason to believe that this model can be used for making scenarios for full-scaled exercises, but also be toned down and used for all other types of exercises.

When we analyzed the Withword 8 criteria-model we found that this is related to organizational level in first, and as the WOSP are made to follow up on strategic decisions, this model can be used for discussions exercises. This assumes Information Security as part of the WOSP’s.

Below is a table outline the four different models and the type of exercise the actual incident can be applied.

In figure 5 we map the different socio-technical models together with the scenarios for exercises mapped in figure 2, to attempt to visualize and compare. We may conclude that by changing the models in one or another direction, they will be more suitable for the different kind of exercises. For example, the Kowalski model can float across the diagram based on the situation in the organization, and by that approach decide what exercise to consider.

We are proposing to name this comparing model a socio-technical system design framework for cyber security training exercises (STSD-CSTE).