Cyber risk, cyber games

By Erin Ayers on February 27, 2015

puzzlesmallMaintaining an effective cybersecurity posture for your organization isn’t fun and games…except when it is.

It turns out there’s no shortage of, oddly enough, board and card games that attempt to emulate this riveting field. It makes perfect sense.

Many of the most popular games in history transport the player to another, unfamiliar world. Dungeons and Dragons, where elves and orcs fight against gallant wizards and paladins! Risk, where players hold the fate of the world in their hands and make exciting political and economic strategy decisions! Monopoly, where it’s plausible to own multiple real estate plots in Atlantic City and occasionally not be in jail.

For some of the games out there in the world, the goal is to create a lively gaming experience tying into society’s technical undercurrent – Black Hat, a game that was recently a successful Kickstarter project. Another, Android Netrunner, an update in the longstanding gaming Android futuristic universe, depicts a dystopian world where the hackers represent the good guys, trying to wrest secrets from mega-corporations.

It also accurately reflects how frustrating being hacked must feel for organizations, as it is an impossibly difficult game to master, i.e. play a round without shrieking in anger and knocking over tables. Or so I’ve heard.

For others, the goal is to take a difficult concept for businesses, especially smaller ones, and drive home the message that cyber risk affects everyone. Threat Matrix, another Kickstarter project, has as its creator an avid gamer and cybersecurity consultant from Australia, Roger Smith. Smith told Advisen he hopes to use the game to better educate businesses about their cyber exposure – and potentially entertain gamers as well.

“This is where a board game is great at illustrating not only the technology but also some of the jargon at a basic level. The game is not designed to make them experts but it does explain basic concepts that the criminals use – botnets, zombies, malware, social engineering to name a few as well as the protection components – firewalls, encryption, training,” Smith said via email. “With that understanding comes a deeper acceptance that they are not doing what needs to be done.”

Naming as his market businesses, boards, and management teams, Smith plans to launch both a physical game and an electronic copy, combining his experience playing such games as Dungeons & Dragons, Warhammer, and Shadowrun with a career in cybersecurity. He already uses the game as part of his consulting program for small to medium-size enterprises.

“We have used the game to great success at small and medium-size business and not-for-profit organizations’ meetings where they did not understand the problems,” he said. “The concept of the game is to increase awareness, so that organizations get away from two ideas – “we have nothing worth stealing” and “we are too small to be a target.”

Properly reflecting the cyber-risky world – a world where the criminals frequently have the upper hand — faced by organizations isn’t easy.

“Getting the randomness of the digital world correct has been hardest as well as keeping up with the changes in both technology and the criminal attack methods,” said Smith.

If blending the gaming-as-a-hobby world with the cybersecurity one can drive home the message to even a few businesses that don’t yet understand, it’s worth a shot. Hackers are creative; perhaps our defenses and solutions should be as well.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].