When the Lights Went Out at Heathrow: A Crisis That Was Never Meant to Be “Won”
In the early hours of March 21, 2025, a fire broke out at the North Hyde electrical substation in West London, just a few miles from Heathrow Airport. Within hours, a local infrastructure incident had triggered widespread disruption across the global aviation ecosystem. Flights were grounded, operations were halted, passengers were stranded, and local residents were left without power. Suddenly, one of the most connected airports in the world found itself completely disconnected. This wasn’t just a power failure, it was a systems failure. The fire itself was severe yet containable, but what unfolded afterward exposed far deeper vulnerabilities. It has since been claimed that Heathrow had “enough power” from other substations, which now raises difficult but fair questions: If there was enough power, why shut the airport down completely? If there wasn’t, why wasn’t the site resilient enough to handle a failure like this? And most importantly, how did one single point of failure have this much impact on such a critical national and international asset? These are the questions that will dominate the post-crisis scrutiny, but while many rush to applaud or condemn, I think the truth lies somewhere more uncomfortable. Crisis leadership isn’t about perfect outcomes Crisis response is never clean. It’s messy, fast-moving and incomplete. You make decisions with partial data, under pressure, in real time. And in the majority of cases, you choose between bad and worse – which is exactly what Heathrow’s leadership team faced: Compromised infrastructure Uncertainty about the integrity of power and systems Thousands of passengers on site and mid-flight en route to the airport Global operations and supply chain at risk The common response is, “we need to tackle all of these problems” – and rightly so – but what people often forget is that in a crisis, you don’t have the resources, time, or information to tackle everything at once. Heathrow's leadership chose safety and containment, and in just under 24 hours, they were back online again. That’s impressive. That’s recovery under pressure, and that’s business continuity in action. But it doesn’t mean everything was done right, and it certainly doesn’t mean we shouldn’t ask hard questions. “Enough power” means nothing without operational continuity Having backup power doesn’t mean having functional operations. Power alone doesn’t run an airport – systems, processes, and people do. If the backup didn’t maintain critical systems like baggage handling, communications, lighting, or security, then the airport was right to shut down. However, the next question is, why didn’t those systems have their own layers of protection, and where was the true resilience? This leads us to the real issue: this wasn’t just about Heathrow, it was about the entire ecosystem. Resilience isn’t just a plan – it’s a whole system of dependencies The recent disruption is a real reminder that resilience doesn’t just live inside an organization. It lives across every partner, vendor, and hidden dependency. In critical services like aviation, the biggest vulnerabilities are often outside the walls of your own operation. There’s a web of partners involved in keeping an airport running: Power providers Facilities management IT and communications vendors Outsourced security Maintenance crews Air traffic systems Second and third-tier subcontractors Many of these providers sit outside the organization’s direct control, yet their failures become your crisis in an instant. True resilience requires more than internal readiness, it demands visibility across the whole supply and vendor chain, coordination protocols with external stakeholders, and clear ownership of critical functions. When something breaks in the background, you won’t have time to figure out who’s responsible; you’ll only care about who can fix it. So identifying and (most importantly) testing and exercising your supply chain is paramount. This wasn’t a “winnable” crisis – and that’s the point I’ll discuss this concept further in my upcoming webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty, but the Heathrow disruption is a perfect case study. This was never going to be a clean “win.” No plan could have delivered a flawless response, and no leader could have avoided disruption entirely. Instead, this crisis asked a different question: When everything seems to be falling apart, can you contain the damage, protect your people, and recover quickly? That’s the real test. It’s what separates the theoretical resilience plans from the operational reality. Heathrow passed parts of that test, but the system around it has questions to answer, and every other organization watching should be asking the same thing: “How many hidden dependencies are we one substation, one outage, one contractor failure away from exposing?” The next crisis may not give you a warning, and it certainly won’t give you time to figure out who’s holding it all together. Crisis leadership isn’t about perfection; it’s about being ready for the moment when no perfect option exists. The question now is, what did it reveal that we can’t afford to ignore? Ready to prepare for true crisis readiness? Join me for the upcoming community webinar, The Unwinnable Crisis: How to Create Exercises That Prepare Teams for Real-World Uncertainty on April 11. We’ll explore what true crisis readiness looks like and how you prepare your team to lead when there is no “win” – only choices.Cyber Drills and Outcome-Based Programs: A Hands-On Approach to Cyber Resilience
What are cyber drills and outcome-based programs? Cyber drills vs. outcome-based programs Cyber drills Prove Outcome-based programs Improve Simulate a realistic cyberattack to test response capabilities Ongoing, structured programs to build and improve security operations Benchmark security preparedness at a given point in time Measure progress over time with defined success metrics Team-based exercises that focus on immediate response Tailored multi-year programs that address specific security gaps One-off or periodic events Continuous learning and improvement The key difference is that cyber drills test and prove preparedness and expose improvement areas; outcome-based programs address the improvement areas and enhance an organization’s ability to detect, respond, and recover from cyber threats. Combined, these approaches provide sustainable, robust cyber resilience. Designing an effective outcome-based program To implement an outcome-based program successfully, organizations must consider the following factors: 1. Understanding business objectives and risk tolerance Before designing a program, it’s crucial to understand: Business goals – what is the organization trying to achieve? Risk appetite – how much risk is the company willing to take? Regulatory requirements – what compliance standards must be met? 2. Defining measurable outcomes Success should be based on quantifiable improvements, such as: Reduced incident response time Fewer security breaches Improved threat detection capabilities More substantial alignment with regulatory requirements 3. Tailoring the program to the organization Organizations are unique, and outcome-based programs must be customized to fit: Risk assessment results Threat landscape Technology stack and processes Security team capabilities 4. Implementing and monitoring progress A phased approach ensures better adoption: Pilot phase – test the program with a small team before full deployment Phased rollout – implement step-by-step to ensure success Continuous reporting – regularly track metrics and adjust the program as needed 5. Demonstrating ROI and business value To gain leadership buy-in, organizations must: Showcase case studies of successful implementations Use data-driven insights to highlight improvements Demonstrate long-term value beyond compliance Example: A multi-year cybersecurity resilience program A well-structured outcome-based program can span multiple years, evolving as threats change. Year 1 – Conduct cyber drills, crisis and incident response exercises and assessments, and document response plans. Develop improvement plans and program scope. Year 2 – Technical and executive training, incident handling exercises. Year 3 – Advanced cybersecurity drills, scenario-based threat modeling, multi-team exercising. Process and policy stress testing. Year 4 – Purple teaming, improving collaboration between defense and offense teams. Year 5 – Full-scale red teaming and supply chain cyber drills. This approach ensures that organizations continuously prove and improve rather than just react to incidents. Final thoughts: The future of cybersecurity training Moving from traditional cybersecurity upskilling to cyber drills and outcome-based programs requires: A shift in mindset – focus on long-term resilience, not just one-time testing. Cross-department collaboration – security is not just IT’s responsibility; leadership buy-in is crucial. Expertise in design and delivery – outcome-based programs must be well-structured and measurable. By embracing cyber drills and outcome-based cybersecurity training programs, organizations can stay ahead of threats and build a stronger, lasting security culture. Share your thoughts Is your organization ready to move beyond traditional cyber upskilling? Where do you feel the biggest challenge lies, out of the three points mentioned above? Have you had success in overcoming these challenges? If so, share how with the community. Let’s build a cybersecurity strategy that delivers accurate, measurable results.Is Your Team Really Ready for a Cyberattack? (Prove It, Don't Hope It)
Cyberattacks are increasingly frequent and sophisticated. According to the Identity Theft Resource Center (ITRC)’s 2024 Data Breach Report, they remain the primary root cause of data breaches, with Financial Services replacing Healthcare as the most targeted industry. The message is clear: no organization is safe. The recent breach at Change Healthcare/UnitedHealth Group, which exposed the health data of around a third of Americans, shows that the scope of modern cyberattacks extends beyond individual organizations. This isn't just a data breach; it's proof that a single vulnerability can disrupt healthcare operations, impact patient care, and erode public trust. Building a cyber-ready workforce isn’t optional – it’s essential. This isn't about hoping you're prepared; it's about proving it. What "cyber-ready" means in practice A cyber-ready workforce goes beyond having an IT security team. It means everyone, from the front lines to the C-suite, understands their role in preventing and responding to cyber threats. First-line responders (IT security, SOC analysts): These are your digital defenders, constantly monitoring threats. But they're not just monitoring alerts; they're dissecting the attack, isolating the threat, and preserving digital evidence like detectives on a case. They react instantly to alerts, following incident response procedures to identify and contain attacks, aiming for rapid isolation to limit damage. Mid-level managers (team leads, department heads): These are your field commanders during a crisis. They're not just relaying information; they're making tough calls under pressure, coordinating teams, and ensuring everyone stays focused on the mission. They escalate issues to senior leadership and keep all stakeholders informed. Senior leadership (C-Suite, board members): These leaders understand that cybersecurity is a core business risk, not just an IT problem. They champion a security-first culture, prioritize cybersecurity investments, and understand a breach's potential financial, legal, and reputational fallout. The cost of being unprepared: a ripple effect of damage Think about the impact of a successful cyberattack on your customers, your employees, and your reputation. It's not just numbers on a spreadsheet; it's real-world consequences. Imagine the chaos: systems down, customer data compromised, the phone ringing off the hook with angry clients. The financial costs are staggering, with IBM’s Cost of a Data Breach report stating the average data breach now costs $4.45 million, and that number increases yearly. Then comes the reputational damage: lost customer trust, negative press, and long-term brand erosion. Operations stall, workflows are disrupted, and productivity plummets. Legal fees, regulatory fines, and the potential for crippling fines for non-compliance with laws like GDPR, HIPAA, and DORA add further strain. It's a domino effect that could threaten your organization’s survival. Building effective response through cyber drills and resilience programs Cyber drills are the cornerstone of a robust cyber resilience program. They’re practical, hands-on simulations that allow your team to practice responding to real-world threats in a safe space before a real crisis hits. To maximize their effectiveness, cyber drills should be: Realistic: Simulate real-world attacks, including ransomware attacks, data breaches, supply chain disruptions, and social engineering attempts. Incorporate threat actors' latest tactics and techniques to prepare your team for anything. Comprehensive: Involve all relevant teams, from technical responders to senior leadership, with clear roles and responsibilities. Drills should assess technical skills, communication, coordination, and decision-making under pressure. Regular: Conducted frequently to keep skills sharp and procedures up-to-date. A continuous drilling program is ideal. Analyzed: Every drill is a learning opportunity. Conduct thorough post-incident reviews to identify areas for improvement, document lessons learned, and update incident response plans. Building a fortress: your comprehensive resilience program True resilience goes beyond drills. It's about creating a multi-layered defense. Imagine building a fortress around your organization. Cyber drills are the practice battles, but a comprehensive resilience program is the complete defense system. You start with an early warning system: your threat intelligence feeds, providing insights into the latest attack methods. Next, you educate everyone, creating a human firewall through continuous security awareness training and micro-exercises (like simulated phishing emails). You then fortify your defenses by proactively scanning for and patching vulnerabilities (vulnerability management). Finally, you develop a detailed battle plan: your incident response plan, a meticulously documented and regularly tested strategy for handling attacks. This comprehensive approach is key to long-term resilience. Resilience is practiced, refined, and ready for battle. Reducing burnout: the human element of cyber resilience Cybersecurity is a relentless, high-stakes 24/7 battle. The constant pressure to defend against evolving threats takes a toll – leading to burnout, decreased productivity, and a weaker security posture. Recognizing this human element is crucial. Building a resilient team requires proactive support. Invest in training, development, and exercising to keep skills sharp and confidence high. Promote work-life balance by encouraging breaks, vacations, and unplugging after hours. Proper rest is essential for sustained performance. Crucially, cultivate a supportive work environment. Create a space where team members feel comfortable asking for help, sharing concerns, and admitting vulnerabilities without judgment. Open communication and collaborative problem-solving are vital. Celebrate successes and acknowledge the hard work of your cybersecurity professionals. A valued, supported team is an engaged, resilient team – your best defense against evolving threats. Ready to empower your workforce and build a cyber-resilient organization? Waiting for a cyberattack to happen is a recipe for disaster. Proactive preparation is the only way to protect your organization. Building a cyber-ready workforce is an ongoing process, but it's an investment that will pay off in the long run. Share your thoughts What are your biggest challenges in building a truly cyber-ready workforce? Share your experiences and challenges in the comments below.Pieces of the Puzzle – The Power of Interconnected Cyber Drills
A crisis doesn’t respect boundaries – it unfolds in real time, demanding responses from every level, from technical teams to executives. That’s exactly what we set out to simulate with our recent cyber drill, “Pieces of the Puzzle”, a high-intensity exercise that pushed over 300 team members into the deep end of crisis response. What set this drill apart was its interconnectivity – no single person had the full picture, and every decision mattered. A crisis unfolds in pieces The exercise was built around two fictional companies: FusionArc – A cloud-based IT infrastructure provider suffering a cyberattack Orchid Logistics – A global supply chain company, FusionArc’s largest customer, facing operational chaos due to the breach. Day one simulated a cyberattack on FusionArc Solutions, with participants acting as the incident response team investigating and responding to a breach of critical systems and sensitive data. This day showcased Immersive’s cyber range capabilities and the importance of continuous upskilling. It allowed participants to practice incident response protocols and sharpen their ability to detect, analyze, and respond to cyber threats. Live technical demos showcase real-time analysis and response, bringing the simulation to life and highlighting the skills needed to combat cyberattacks. Day two shifted the perspective to Orchid Logistics, whose global operations across four major regions were thrown into turmoil due to the cascading impact of the attack. Each region had its own challenges, from disrupted healthcare supply chains in Europe to financial uncertainty in North America. Different teams’ operations, legal, communications, finance, and crisis management were forced to make critical decisions with incomplete and often conflicting information. This wasn’t just about testing individual teams. It was about stress-testing the connections between them because, in a crisis, decisions have consequences. Every action (or inaction) ripples outward, shaping how an incident unfolds and determining the effectiveness of the response. The design: controlled chaos with a purpose Running a cyber drill at this scale required intricate planning. Each element was carefully orchestrated to simulate the real-life confusion of a crisis where information is fragmented, priorities clash, and leaders must make tough choices under pressure. Key elements included: Dynamic information flow – Teams received updates in real-time, with technical teams feeding insights to crisis managers, who in turn had to make strategic decisions for the business. Regional decision-making – Each region had its own crisis management team (CMT), responsible for navigating localized challenges while staying aligned with global headquarters. Cross-functional dependencies – Operations, legal, finance, and public relations all faced their own unique crises relating to the cyberattack, as well as other unrelated business continuity disruptions. Their ability to coordinate responses mirrored the true complexity of a global business disruption. Escalating pressure – Timed injects (new crisis updates), roaming media roleplayers, and breaking news images forced participants to adapt rapidly, just as they would in a real cyber event. By layering these complexities, the exercise tested technical incident response and the entire organization’s ability to work as a single unit under duress. We looked at disaster recovery, crisis management, and business continuity all in the same cyber drill. The power of perspective (or lack of it) A key takeaway from the drill was how overwhelming it felt. No one had the full picture – teams made decisions with only their slice of the crisis, just like in the real world. We saw participants grappling with conflicting information, wondering why other teams weren’t responding as expected. Some felt completely isolated until they realized that the missing information was sitting with another team in another region, experiencing a completely different part of the crisis. This is why interconnected drills are vital. They teach organizations to connect the dots and reinforce a crucial lesson: in high-stakes environments, every decision shapes the crisis’s trajectory. Prove and improve: the true value of cyber drills Cyber drills aren’t just theoretical exercises. They test response plans, communication, and decision-making under pressure while revealing areas for improvement. This drill pushed participants to work under stress and exposed gaps not just in technical response, but in collaboration, escalation, and decision-making. These exercises matter because they don’t just reveal weaknesses – they build resilience before a real crisis strikes. What this means for your organization Cyber threats affect entire businesses – customers, partners, supply chains, and finances. The biggest risk isn’t the attack itself but poor coordination in the response. That’s why cross-team exercises are vital: technical teams must know how and when to escalate, crisis managers must grasp the stakes, and executives must make quick decisions with limited information. Cyber drills don’t always have to be this large, but they must be realistic. Even smaller exercises focused on decision-making across teams can expose gaps in communication and preparedness before a real crisis does. Final thoughts: crisis readiness is built, not assumed In the debrief of Pieces of the Puzzle, one theme emerged repeatedly: we are only as strong as our connections. The most prepared organizations aren’t just those with the best tools or plans – they’re the ones who practice together and strengthen the human elements. Cyber drills push teams to break silos, act under pressure, and manage uncertainty. If you’re not running them regularly, the question isn’t if you’ll struggle in a crisis – it’s when. No matter your industry, scale, or risk landscape, the key takeaway is this: crisis preparedness isn’t just about reacting – it’s about ensuring every piece of the puzzle fits before the crisis hits. Are your teams ready to prove and improve? Share your thoughts Has this inspired you to plan a drill? Do you have any questions about planning or execution and need some pointers? Have you run a drill or been to a drill event, and if so, how did it feel? I’d love to hear from you and help you reach your goals.Experience-Driven and Intrinsic Learning in Cybersecurity
Experience-driven learning Experience-driven learning can take many forms, including: Practical simulations Role-playing exercises Individual hands-on learning Team-based exercising For example, some employees may be presented with micro exercises that pivot around key risk areas such as device security, data handling or social engineering. Others may participate in a tabletop exercise that simulates a ransomware attack, allowing them to practice incident response, crisis management, and recovery procedures in a safe and engaging environment. More technical teams can experience a real attack on real infrastructure in a cyber range, working together to identify and understand the attack using defensive and forensic tools. These types of activities foster intrinsic learning, driven by personal interest and the desire for self-improvement rather than external rewards like grades or promotions. These types of activities also engage natural human behaviours related to gamified learning, both individually and as a team. Intrinsic learning Intrinsic learning can be particularly valuable, especially in the context of cybersecurity, because it allows employees to develop a deeper understanding and appreciation of the subject matter beyond what is required for their job. This approach to learning is not only more engaging and effective but also helps organizations identify areas for improvement and potential vulnerabilities. Intrinsic learning can also help foster a culture of continuous learning within the workforce. By encouraging employees to pursue their interests and explore new areas of cybersecurity, organizations can create an environment where individuals feel empowered to take ownership of their learning and seek out new opportunities for growth and development. To make your cybersecurity training more experiential and foster intrinsic motivation for learning, consider the following steps: Align with personal goals Empower team members to align upskilling pathways with their career aspirations and professional development. Emphasize real-world relevance Showcase how the skills learned directly apply to current cybersecurity challenges and job responsibilities. Provide autonomy Allow learners to freely explore different topics and skills. Create a supportive environment Encourage peer-to-peer learning and mentorship opportunities to build a culture of continuous improvement. Celebrate progress Recognize and highlight individual and team achievements to boost confidence and motivation. Implement adaptive challenges Gradually increase difficulty levels, ensuring learners are consistently challenged but not overwhelmed - the right level of learning is more important than the quantity. Encourage reflection Prompt learners to analyse their performance after each exercise, especially team-based, fostering a growth mindset and self-awareness. Facilitate knowledge sharing Organize regular debriefing sessions where individuals can discuss their experiences and insights gained from the training. Connect to organizational impact Demonstrate how improved cybersecurity skills contribute to the overall success and resilience of the organization. Provide immediate feedback Leverage Immersive Labs' real-time feedback mechanisms to help individuals understand their progress and areas for improvement. By implementing these steps, you can create a more engaging and intrinsically motivating cybersecurity training experience, fostering a culture of continuous learning and skill development within your organization. Conclusion Incorporating intrinsic and experience-driven exercises into your cyber resilience strategy can be an effective way of measuring and improving your overall resilience. Today, the need to exercise effectively has become a key feature of many cyber security frameworks and directives such as ISO27001, NIS2 and DORA, requiring organisations to maintain proof with policies and procedures underpinned by data and results. What have you experienced in your own upskilling journeys to get you where you are today, have you found some ways work better than others; Individual, team, hands-on, theory, classroom? What are your favourite ways to learn and stay motivated with the ever-changing cyber landscape right now? Share your stories and insights in the comments below!Mastering Crisis Sim: 5 Tips for Easy Customization
Drawing on three years of Crisis Sim experience, I’ve identified five essential elements that consistently lead to successful custom simulations. 1. Have a good plan Having a plan is vital to dealing with a crisis, and the same thing goes for creating a Crisis Sim. When planning a crisis scenario, it can be extremely helpful to have a general outline of the storyline, different branches, and specific IR goals to hit before creation begins. This can be done in many different ways, depending on your preference. A whiteboard session, document outline, Figma, or even pen and paper can help outline different injects, attack vectors, and responses. 2. Use naming conventions to keep things organized When creating a multi-branch exercise, injects can often be reused or slightly modified to engage users and reflect the impact of their previous choices. However, with multiple copies of injects, it can be difficult to track which inject links to which option or how it flows into other branches. Organizations have found that using simple naming conventions greatly reduces confusion. For example, including the inject number and different branches ([Inject], [Branch]) provides a clear visual and numerical reference. This approach is especially helpful when managing copied injects with identical titles. 3. Create useful attachments Crisis Sims and tabletops are all about engaging the audience and immersing them in the scenario. Adding useful attachments can significantly enhance realism with minimal effort. Attachments in injects provide context, information, or illustrate the effects of previous decisions. Organizations often use sanitized SOC screenshots, short videos featuring leaders, or their IR playbook to drive engagement. With support for various file types, these additions make scenarios more interactive and realistic. 4. Flexible interludes Interludes are a new type of inject in Crisis Sim that don’t require action or voting from participants, offering versatile use cases. Interludes can be used to bring the audience back to the main branch if they begin to choose options that aren’t in line with playbooks, framing it as a decision made by a manager or leader. Interludes can also be used as a conversation starter rather than relying on voting, as conversation is key during crisis exercises. Instead of listing a few options, interludes can allow for open-ended questions, which lead to discussions on the best next steps or things to consider as the scenario progresses. Interludes can also introduce new issues and provide more context. 5. ‘Create with AI’ to get started ‘Create with AI’ is a new feature in Crisis Sim that allows organizations to create customized scenarios with artificial intelligence. This feature is great at getting a highly customized scenario started, all within a few minutes. When using ‘Create with AI’, it’s vital to provide as much information within the title as you can. Giving more information within the prompt will lead to a better scenario. Additionally, AI is still growing and improving, so take a deep look at the scenario after creation and make alterations where needed. Share your thoughts Have you got any top tips for customizing Crisis Sims? Comment below and share them with The Human Connection Community!Making the Most of the Custom Lab Builder: Tone of Voice
Now you can build your own labs in the Custom Lab Builder, we thought we’d provide some guidance on writing with a strong tone of voice to ensure your labs are as engaging as possible. This blog is the third in a series on making the most of the Lab Builder, looking at what we call the Four Cs. Ensuring your writing is… Conversational Concise Conscious Consistent The previous two posts looked at accessibility and inclusivity. This post focuses on tone of voice and how to write authentically to ensure your audience engages with the lab and remembers the message you’re trying to teach them. Writing well For most of your life, you’ve probably been told to write properly. Avoid contractions at all costs. Use complex sentences with plenty of fancy connecting words like “furthermore” and “moreover”. And never start a sentence with “and”. This formal style works really well for some industries. Academia is traditionally an incredibly formal area when it comes to the written word, as is the broadsheet newspaper realm. This is often to reflect the work’s sincerity, to avoid weakening a writer’s reputation, and to present ideas consistently and objectively. But Immersive Labs believes writing can be sincere and objective without being so... dull! Be conversational Copywriting is increasingly conversational, appearing everywhere from LinkedIn posts to the back of your milk carton. This style engages readers by feeling personal and authentic, aligning with Richard Mayer’s Personalization Principle, that people learn more deeply when words are conversational rather than formal. A human-to-human copywriting style makes sense for Immersive Labs, as we’re all about focusing on the humans behind the screens. When using the Lab Builder, we recommend writing your labs in an engaging, approachable style to create a modern, user-friendly learning environment. But conversational doesn’t mean sloppy. It’s about presenting ideas clearly and confidently, helping users feel at ease while they learn. Use everyday, concrete language Using fancy, complex words doesn’t make content better – it can actually distract readers and undermine clarity. Instead, prioritize clear, straightforward language to ensure your message is easy to understand, especially by users with cognitive disabilities. Avoid overly poetic phrases, figures of speech, idioms, or ambiguous language, which can confuse or overwhelm readers, including those with autism spectrum conditions. Strive for clarity to help users grasp your message the first time, keeping their needs front and centre. Address the reader Authenticity is all about gaining your reader’s trust. We recommend speaking directly to them in your custom labs by using “you” throughout your copy. This handy trick also avoids any ambiguity when it comes to practical tasks. Take the following example. “In this lab, the machine must be analyzed and IoCs must be extracted.” Instead of being vague and passive, we recommend talking directly to the reader and telling them exactly what they need to do. “In this lab, you need to analyze the machine and extract IoCs.” Or better yet, you can be even more direct by cutting that down even further: “In this lab, analyze the machine and extract IoCs.” Our labs and scenarios frequently talk directly to the reader. Users are more likely to stay engaged when they’re spoken to, not at. Use contractions Contractions instantly make your writing more conversational by mimicking natural speech. Combining words like "it is" to "it’s" or "you are" to "you’re" adds a touch of informality that feels approachable and inclusive. While once discouraged in formal writing, contractions are ideal for a modern learning environment, making text easier to read, understand, and remember. Be concise Writing in plain language is good for all users, but can make a massive difference for neurodivergent users, those who struggle to focus, those who hyperfocus, or maybe those who find reading difficult. We follow recommendations from the Advonet Group, the British Dyslexia Association, and Clark and Mayer’s Coherence Principle to ensure accessibility for a diverse audience – and you should too! Writing simply and clearly doesn’t mean trivializing content or sacrificing accuracy; it just makes your message easier to understand. After all, no one's ever complained that something's too easy to read! The difficulty comes when balancing this with technical content. How can you make advanced, complex cybersecurity topics clear and concise? Keep it short and sweet Sentences longer than 20 words become difficult to understand and can detract from the point being made. It’s easy for people’s minds to wander, so get to your point in as few words as possible. The same goes for paragraphs. Try and avoid long, dense walls of text. Nobody wants to read that, and it’s no good when thinking about accessibility. Keep your paragraphs to four or five lines, maximum. Get to the point Avoid adding unnecessary side notes to your labs, as they can distract from the main message and make learning harder. Unnecessary content distracts the learner’s attention from the main message, making them less likely to remember the core topic. It disrupts the connections between key messages and diverts the learner’s focus, making it harder to piece together the bigger picture. This is all down to cognitive load theory, which says that in general, humans can handle around four pieces of new information at any one time. To help users focus, stick to the lab's core topic and avoid overloading them with unrelated details. TL;DR When writing your labs with the Custom Lab Builder, ensure all your text is conversational to engage your users with the topic. And also make all your copy as concise as possible. Getting your message across in as few words as possible will reduce cognitive overload, boredom, and frustration. By focusing on being conversational, as well as being consistent and conscious (as we covered in the previous blog posts in this series), your readers will engage with your content better, remember the topic, and be able to put it into practice more easily – improving their cybersecurity knowledge and driving their cyber resilience. Share your thoughts! What do you think about these tone of voice tips when writing your custom labs? Have you tried to write your labs in a conversational yet concise way, and how did this go down with your users? Do you have any other suggestions for the community on how to write conversationally? We’d love to hear from you!Making the Most of Custom Lab Builder: A Guide to Writing Inclusively for All
Language shapes how people perceive and engage with content, so it’s crucial to consider the kind of words you use. Using outdated terminology can offend and disengage learners, as well as hurt a company’s reputation. This blog is the second in a series on making the most of the Lab Builder, looking at what we call the Four Cs. Ensuring your writing is… Conscious Consistent Conversational Concise The previous post in this series looked at accessibility. In this post, we’ll explore what it means to write consciously and inclusively, share practical tips, and show how our platform supports this critical effort. Why is inclusive language important? Inclusive language avoids bias, respects diversity, and ensures accessibility for all. In cybersecurity, it means using terms that foster collaboration and trust, avoiding outdated or harmful phrases, and creating welcoming and empowering content The Quality Team at Immersive Labs is committed to staying up to date with how language changes in the cyber industry. We regularly undertake research and speak to other industry professionals to ensure that our language is appropriate. Words to avoid We recommend avoiding specific terms that some people may find offensive, and some socially charged language that may have negative connotations. Non-inclusive language to avoid Preferred inclusive versions Whitelist/Blacklist Allowlist/Denylist White hat/Black hat hackers Ethical/Unethical hackers Master/Slave Leader/Follower, Primary/Replica, Primary/Standby Grandfathered Legacy status Gendered pronouns (e.g. assuming “he/him/his”) They, them, their Gendered pronouns (e.g. “guys”) Folks, people, you all, y’all Man hours, man power Hours, engineer hours, workforce, staffing Man-in-the-middle attack Machine-in-the-middle attack Sanity check Quick check, confidence check, coherence check Dummy value Placeholder value, sample value Crazy, insane Amazing, incredible, or any other appropriate adjective Socially charged words Preferred inclusive versions Native Built-in, default, pre-installed, integrated, core Abort Stop, cancel, end, force quit Cripple Disable, impair, damage, destroy, ruin Kill Stop, force quit, close, shut down Trigger Activate, initiate, cause, launch Unsure if a phrase you’ve used could be seen as offensive? Ask yourself: is this the most accurate and appropriate choice? Often, you can find a more descriptive word and avoid using these examples. Top tips for inclusive language Use writing tools Tools like Grammarly can help identify problematic words or phrases. You can create customized lists in Grammarly, which will then flag when a word has been used in your writing. Additionally, there are many inclusive language guides available online. Keep it short and sweet Use short sentences and paragraphs. Shorter sentences are easier to read, scan, and understand – especially for those with cognitive disabilities. Aim for sentences around 10–15 words, with variation for a natural flow. Avoid sentences longer than 20 words, as they can be harder to follow. Read aloud Proofread your work aloud to catch awkward phrasing, overly complex sentences, or insensitive terms. Hearing the words can help identify spots where clarity or tone might need improvement. Get a second opinion Ask a colleague to review your final version. A fresh set of eyes can spot language that might be unclear, inappropriate, or overly complicated. Share your thoughts Now that Lab Builder is here and you’ve had a chance to create your own content, how have you made your content more inclusive? We’re always looking to stay up to date, so if you have any further suggestions to add to our list of words to avoid or any other tips, let us know! We’d love to learn from you and grow the collective community knowledge.Making the Most of the Custom Lab Builder: Writing With Accessibility in Mind
What if someone tried to access your content who was visually impaired? Or who had cognitive difficulties? Or who was hard of hearing? Would they be able to understand the information you’ve provided and improve their cyber resilience? Our in-house copyediting team has created a series of articles to help you craft high-quality labs, aligned to the rigorous processes we follow. We embrace what we call the Four Cs to ensure all labs are: Consistent Conscious Conversational Concise These articles delve into each of these principles, showing how to implement them in your labs to create content that resonates with readers, enhances learning, and boosts cyber resilience. This post highlights how being conscious of your formatting can enhance accessibility for assistive technology users and how consistent formatting improves navigation for everyone. Rich text formatting Rich text formatting tools like subheadings, bullet points, lists, and tables in the Custom Lab Builder help organise information for easier scanning, better retention, and improved comprehension. Using these will ensure your content is consistent, accessible, and reader-friendly for everyone! Rich text formatting elements carry specific meaning, which assistive technologies rely on to convey information to specific users. Headings Visually, headings represent hierarchy through different font styling and allow users to quickly scan content. Programmatically, they allow users who can’t see or perceive the visual styling to access the same structural ability to scan. Heading elements should reflect the structure of the content. So your title should go in ‘Heading 1’ formatting, your next subheading will go in ‘Heading 2’ formatting, and so on. To ensure your content reads correctly to screen reader users, don’t use HTML heading styling to represent emphasis, and don’t use bold to make text appear like a heading. Lists (bullets/numbering) Always use bullets or numbered lists using the provided formatting to convey a list. A screen reader will announce that the following information is a list. Links How a link is formed significantly impacts usability. Consider the following sentence: “To find out more about this topic, complete our Intro to Code Injection lab here.” Links are interactive elements, which means you can navigate to them using the tab key. A user who relies on screen magnification to consume content may choose to tab through content to see what's available. The example above would be communicated as just “here”, which provides no context. They’d need to manually scroll back to understand the link’s purpose. Always use descriptive link text that clearly indicates its destination. Avoid ambiguous phrases like “here”. If that’s not possible, ensure the surrounding text provides clear context. “To find out more about this topic, complete our Intro to Code Injection lab.” Bold Only use bold for emphasis! Avoid italics, capital letters, or underlining (reserved for hyperlinks) to prevent confusion. Consistency in formatting reduces cognitive load, making your text more accessible. Bold stands out, provides better contrast, and helps readers quickly identify key information. Avoid italics With 15–20% of the population having dyslexia, italics are worth avoiding because research shows it’s harder for this user group to read italic text. Italics can sometimes bunch up into the next non-italic word, which can be difficult to comprehend or distracting to read. Media If you’re adding media to your labs, such as videos and images, it’s especially important to consider those who use assistive technologies. These users need to have the same chance of understanding the content as everyone else. They shouldn’t miss out on crucial learning. What is alternative text? Alt text describes the appearance and function of an image. It’s the written copy that appears if the image fails to load, but also helps screen reading tools describe images to visually impaired people. Imagine you’re reading aloud over the phone to someone who needs to understand the content. Think about the purpose of the image. Does it inform users about something specific, or is it just decoration? This should help you decide what (if any) information or function the images have, and what to write as your alternative text. Videos Any videos you add to your lab should have a transcript or subtitles for those who can’t hear it. Being consistent Consistency is a major thinking point for accessibility. We recommend adhering to a style guide so all of your labs look and feel consistent. We recommend thinking about the structure of your labs and keeping them consistent for easy navigation. In our labs, users expect an introduction, main content, and a concluding “In This Lab” section outlining the task. This helps users recognize certain elements of the product. It reduces distraction and allows easier navigation on the page. For example, some users prefer diving into practical tasks and referring back to the content if they need it. By using the same structure across your lab collections, your users will know exactly where to find the instructions as soon as they start. TL;DR It’s crucial to focus on accessibility when writing your custom labs. Utilise the built-in rich text formatting options in the Custom Lab Builder (and stay consistent with how you use them!) to ensure your labs are easy to navigate for every single user. By being conscious and consistent with your formatting, every user will engage with your content better, remember the topic, and be able to put it into practice more easily, improving their cybersecurity knowledge and driving their cyber resilience. No matter how they consume content. Keep your eyes peeled for the next blog post in this series, which will look at inclusive language. Share your thoughts! There’s so much information out there on creating accessible content. This blog post just focused on the language, structure, and current formatting options available in the Custom Lab Builder. Have you tried to make your labs or upskilling more accessible, and how did this go down with your users? Do you have any other suggestions for the community on how to write content with accessibility in mind? Share them in the comments below!Realizing the Full Potential of Drill Mode in Crisis Simulator
Unless you’ve been living under a rock for the last decade or so, you already know cyber crises have become increasingly prevalent – posing significant threats to organizations worldwide. Organizations must continuously assess and improve their technical and non-technical teams’ knowledge, skills, and judgment to combat these challenges. This is where Immersive Labs’ Crisis Simulator comes into play. With single-player, drill, and presentation modes available, organizations can conduct team exercises that simulate real-world cyber crises in a number of different formats to prevent exercise fatigue. This allows organizations to create an exercising-first culture – as one tabletop exercise a year just isn’t enough. Let’s dig more into drill mode and learn how it helps users realize the true potential of cyber crisis planning. Crisis Simulator Drill Mode: What is it? Drill mode is a multiplayer crisis exercising format which allows participants to assume specific roles and tackle role-specific challenges. The goal is to strengthen their domain knowledge and develop muscle memory to more effectively deal with an actual crisis. A Crisis Sim administrator can assign clearly defined roles by aligning participants’ tasks with their actual job duties, ensuring the drills reflect real-life scenarios. Upon assignment, players receive notifications about their upcoming exercise, followed by a message signaling the start of their role-specific decision point or “inject.” Drill mode follows a sequential “pass the baton” style relay, allowing only one role to have an active task at any given time, with the completion of an active task triggering the next task. Some exercises may require players to complete multiple injects in succession, creating a cohesive and dynamic experience. Individual players’ decisions (good or bad) will significantly impact how the scenario unfolds for others, mimicking the interdependence and complexity of real crises. Benefits for Customers Drill mode was developed using direct customer feedback. Immersive Labs users were looking to exercise teams with role-relevant content to increase exercising engagement. With drill mode, and unlike competing solutions, participants aren’t expected to answer injects outside their area of expertise – ensuring a more focused and realistic experience. Drill mode’s emphasis on role-specific tasks promotes a more authentic depiction of how crisis responses really unfold. Recognizing no individual holds all decision-making power during a crisis, Drill mode reinforces collaboration and coordination among team members. Data gathered during a drill scenario allows teams to identify points of weakness and develop targeted training interventions. Drill mode also enables organizations to track the time needed for participants to complete each inject. This valuable metric provides insights into individual and team performance, giving organizations more data to refine their crisis response strategies and optimize resource allocation. Embracing Remote-First Work Environments With the proliferation of remote work, Crisis Simulator’s drill mode adapts nicely to evolving organizational needs. Players receive notifications and contribute when required. This remote-first approach enables seamless participation and ensures teams are well-prepared, regardless of geographical dispersion. Our micro-drills allow key contributors to allocate less than 10 minutes per decision point, significantly reducing their time commitment compared to traditional full-day drills. This efficient utilization of resources maximizes productivity and minimizes disruption to daily operations. Immersive Yourself Drill mode is a powerful feature within the Crisis Simulator that unleashes the true potential of cyber crisis planning. By assigning clearly defined roles to participants, organizations can conduct team exercises where each player assumes their actual job role in completing an assigned task. With a strategic and measurable approach to cyber crisis preparedness, Crisis Simulation with drill mode identifies weaknesses and promotes collaboration among team members. With the ability to track inject completion time, adapt to remote work environments, and offer versatile scenario options, drill mode empowers organizations to build greater resilience in the face of cyber threats.
