Logo: to the web site of the Swedish Defence University

The annual cyber defense exercise Locked Shields is the world’s largest unclassified defensive exercise. The exercise participants form “blue teams” that are tasked to defend their critical infrastructure against an attacking “red team.” The blue teams are scored based on how well they keep their essential system functions running and the extent to which they manage to assess and report what they are exposed to. During Locked Shields 2019, 24 blue teams from 30 countries participated in a two-day exercise. The case study presented in this paper focuses on one of the blue teams. The team consisted of around 60 people from governmental institutions as well as private companies. The objective of this paper is to explore the possibilities to collect meaningful data for research on Command and Control, C2, Cyber Situational Awareness, CSA, and Intelligence in conjunction with an inter-organizational cyber defense team during a cyber defense exercise. During preparations preceding the exercise, the research team observed the development of strategy, coordination structures and organization in the temporarily formed team as it prepared to solve the highly challenging exercise tasks. During the exercise, data collection included questionnaires, observations, team communication logs, reporting from the blue to the white team and performance scores. The data collection sought to satisfy needs within three research themes - 1) command and control, C2, 2) cyber situational awareness, and 3) intelligence. A review of the dataset showed that the data is well suited for further analysis. The paper presents initial results as well as an outline of how the different types of data collected contribute to research within the three research themes.