Why is testing necessary? But testing badly can be worse than not testing at all

Cyber Stress Tests have become an increasing requirement in sectors such as financial services,
healthcare, digital services and critical infrastructure.

More than a trend, they are now an essential tool for testing the organisation’s real response capability
in a crisis scenario.
But attention: a poorly planned, poorly executed or poorly followed-up test can create false certainty,
and hide weaknesses that nobody saw coming.

Below, we highlight the 5 most common mistakes that, on their own or together, undermine the credibility of and cancel out the impact of a stress test.

1. Lack of a clear objective

“We mixed everything together to see what would happen.”
This type of approach leads to chaotic exercises, where nobody knows what is being assessed, what the success indicators are or what lessons are meant to be drawn.

An effective test has focus: Response? Communication? Continuity? Recovery?
Everything at the same time = nothing with clarity.

The objective defines the scenario, the unexpected challenges, the participants, the criteria and the impact.

2. Unrealistic scenarios (or overly predictable ones)

Tests that simulate “generic attacks” or merely repeat old exercises do not add value in a new environment
that reflects a new technological reality in which exposure to risk increases exponentially and, often, silently, taking advantage of new scenarios.

On the other hand, excessively technical tests, without business context, distance decision-makers and confuse participants.

The secret lies in balance: a plausible scenario, with elements of surprise, but linked to the organisation’s reality.

An effective example:
“It is Friday, 18:10. The administrator account is being used to delete databases. The security manager is away.
Who is responsible for responding?
When do they respond?
How do they respond?”

3. Lack of management involvement

If governing bodies only see reports, the most important component is lost: the ability to make decisions under pressure.

Many tests fail because critical roles are not assigned… or are assigned to people who are not present.

Resilience is not only about technical capability and readiness, but also about leadership and governance.
It is about making decisions and having certainty in the middle of an environment of uncertainty.

4. Not documenting, not assessing, not correcting

A test is only justified if it generates useful knowledge and continual improvement.

Running an exercise without records, without evaluating performance, without establishing corrective action plans is theatre, not preparation.

“Going well” does not mean not failing. It means identifying failures, learning and correcting.

5. Testing with the ideal team, in the right scenario

Many tests are carried out with the right people, at the right time and with everything prepared to the minute.

But… what if the responsible person is on holiday?
What if the supplier does not respond?
What if the decision has to be made
with only 50% of the information?

The objective is to test the response in chaos, not in a laboratory.
No scenario will materialise exactly in the way we planned, so introducing uncertainty and measuring resilience
are critical factors for an effective response when a real scenario occurs.

How to do it properly?

• Define a clear and specific objective
• Create a credible, challenging and business-relevant scenario
• Introduce uncertainty into moments we assumed were certain
• Involve all levels of the organisation, including leadership
• Measure performance, identify failures and present a solid improvement plan
• Repeat periodically and scale the difficulty as maturity grows

Testing is more than meeting an internal requirement or an external obligation. It is the only real way to know whether we are ready.

But take care: testing badly can be more dangerous than not testing. Because it creates the illusion that we are prepared… when we are not yet.

By applying the right methods, scenarios and objectives, stress tests become powerful tools for organisational maturity.

Author: Behaviour
Published on: 29 October 2025
Copying or reproducing this article is not authorised.