Tabletop Security Games & Cards

Games teach. Games provide engagement and repetition, which help people learn. Many people have crafted games with explicit security learning goals. These are 'serious games,' or 'games with a purpose.' There have been academic workshops with a focus on using games to enhance learning.

This page started as a list of tabletop games that touch on information security. It has evolved to be scoped to physical things: discussion-prompting cards are included, software, including CTFs, are excluded. I'm not aware of an attempt to catalog software games with a security teaching goal.

If you are considering creating a game, I cannot recommend "The White Box: Game Design Workshop In a Box" highly enough. The only downside is that that name is not optimized for searching on Amazon, here's the boxed set, here's the kindle version of the book.

Security Games (Educational)

The "educational" means that the game has an explicit learning goal. Contrast with NetRunner (below), which is a complex strategy game set in a cyber-world, but makes no attempt towards realism. The games here range from actionable (Elevation of Privilege, which actively helps you threat model) to educational (Control Alt Hack) to classroom activity to spur conversation.

The Agile App Security Game
Created by people in Security Lancaster to cover app programming and project management, the game has players take on the role of product managers for a secure app product. Players select from a variety of choices which security functionality to implement and find out if their choices foil the attacks. The game requires a coordinator, and needs cards printed out and cut out in advance. Blog post has links to the full game with instructions and cards.
Collect It All
The CIA's Collection Deck game, made available via Diegetic Games. Designed by David Clopper, and actually used for training at the CIA.
Control-Alt-Hack
Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS) and developed by Tammy Denning, Yoshi Kohno and Adam Shostack. [BoardGameGeek description]
Cryptomancer RPG
Cryptomancer is a full on role-playing game with a 432-page hardbound/PDF rulebook. To quote, "Cryptomancer is a tabletop role-playing game made for hackers, by hackers. It features an original fantasy setting and gameplay informed by diverse security disciplines. Players assume the role of characters on the run from a shadowy organization that rules the world through mass surveillance, propaganda, and political coercion."

Cyber Threat Defender
Cyber Threat Defender (CTD) is a multi-player collectible card game designed to teach essential cybersecurity information and strategies. CTD is an easy-to-play, engaging game regardless of skill level. Players must protect themselves from attacks while building robust networks in order to become a true Cyber Threat Defender! Cyber Threat Defender decks can be sponsored for classrooms across the nation or purchased for individual gameplay. You can buy cards here.
[D0x3d!]
[d0x3d!] is an open-source board game designed to engage a diverse student body to network security terminology, attack & defend mechanics, and basic security constructs. Its mechanics feature cooperative play, set collection, variable player powers in an action-point allowance system, and a modular board that simulates a network topology. [d0x3d!] was created by Zachary Peterson and Mark Gondree, and inspired by Forbidden Island, created by Matt Leacock and published by Gamewright. Learn more about [D0x3d!] here. [BoardGameGeek description]
Dungeons and Data
Presented at RSA 2018, this blog post and linked files explain a D&D style tabletop by Josh Bressers
Elevation of Privilege: the Threat Modeling Game
Adam Shostack developed Elevation of Privilege as the easy way to get started threat modeling. You can download a copy from the Github repo and there's a blog post with the announcement. There are two main presentations; my Black Hat talk "The easy way to get started threat modeling" covers some of why the game works. There's a longer academic paper presented at 3GSE "Drawing Developers into Threat Modeling." There's more, including privacy extensions, translations and online versions at the threat modeling book website resources page.

Emergynt Risk
"The Emergynt Risk Deck is a teaching and modeling tool developed by our RiskLabs Division to easily demonstrate the power of our scenario-analysis approach. Use it to speed up table-top exercises or illustrate the vast risk universe of your digitally-enabled organization to your executive leadership."
Exploit!
Created by Core Impact, and based on Emiliano Sciarra's BANG! I am not aware of online info on Exploit! [BoardGameGeek search]
GAP
"GAP, a game for Improving Awareness About Passwords" is a paper that "explores the potential of serious games to educate users about various features that negatively impact password security. Specifically, we designed a web-based casual game called GAP and assessed its impact by conducting a comparative user study with 119 participants. The study results show that participants who played GAP demonstrated improved performance in recognizing insecure password features than participants who did not play GAP. Besides having educational value, most of the participants also found GAP fun to play." (Paywalled)
Hacker
"Can you outsmart cybercriminals? Defend the world from cybercriminals by joining the white hat hacker team Oblivion! Play the role of a coder, hacker, and security engineer in 40 beginner to expert challenges. Program your agents to collect data chips while avoiding viruses and alarms. As you discover how a hacker can damage your programs, you will learn how to secure them from future attacks! Each of the 40 challenges includes three phases of play for a total of 120 coding puzzles. Teaches: CONCURRENCY and SECURITY MINDSET" Thinkfun or Amazon. (Not to be confused with the 1992 Steve Jackson game of the same name.)
NeoSens
NeoSens is a Dungeons and Dragons style game, presented by Tiphaine Romand-Latapie at Blackhat 2016: "a new way to train a neophyte audience to the basic principles of Computer Security. The training is developed around a role playing game consisting in attacking and defending a building. A debriefing is done after the game to highlight all the similarities between the game and computer security stakes." "The NeoSens Training Method: Computer SecurityAwareness for a Neophyte Audience" (paper) and presentation, "Dungeons, Dragons & Security
Operation Digital Chameleon
Red and blue teams develop attack and defense strategies to explore IT-Security of Critical Infrastructures as part of a 2 day IT-Security training. The purpose of the game is to raise IT-Security Awareness for IT-Security Professionals and IT-Professionals like CERT-Teams, CIOs, Risk Managers, Administrators. Developed by Andreas Rieb. See Operation Digital Chameleon: Towards an Open Cybersecurity Method (paywall), and Wie IT-Security Matchplays als Awarenessmaßnahme die IT-Sicherheit verbessern können.
OWASP Cornucopia
Quoting their page: "OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic....The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories."
Project Config
"A two players board game that utilizes cybersecurity as its base for game mechanics and assign players with “attacker” and “defender” roles in order to experience a cybersecurity- related scenario." website
Pivots and Payloads
Created by Jason Blanchard, Ed Skoudis, and Mick Douglas. "The board game takes you through pen test methodology, tactics, and tools with many possible setbacks that defenders can utilize to hinder forward progress for a pen tester or attacker." (announcement and webinar.)
Protection Poker
Created by Laurie Williams. A tutorial is at Protection Poker Tutorial, and that page has additional links.
StixITS
Created by Cody Wamsley at Cybersponse to teach STIX concepts
"Social Engineering Requirements Game"
Created by Kristian Beckers and Sebastian Pape. A Serious Game for Eliciting Social Engineering Security Requirements. (The game does not have an obvious name.) handouts and cards
What.Hack
Created by Zikai Alex Wen, Yiming Li, Reid Wade, Jeffery Huang and Amy Wang at Cornell to teach phishing. Paper " What.Hack: Learn Phishing Email Defence the Fun Way" CHI 2017, (paywalled, try Sci-hub). The game is available online, whatdothack and requires webgl.

Privacy Games

The Game for Privacy
The Privacy Board Game has been created to explore and analyze everyday situations on the Internet and learn how to navigate safely using good online security and privacy practices, built towards an open, offline, extensible and board game. (Discussion in this post.)

Non-Game Decks

Design With Intent Toolkit
Created by Dan Lockton of Requisite Variety, the Design With Intent Toolkit has cards in eight suits (called lenses): architecture, errorproofing, interaction, ludic, perceptual, cognitive, Machiavellian, and security. The entire set is viewable on the site (a frequently overlooked need), and the Machiavellian lens has an interesting overlap with security.
Privacy Ideation Cards
Created by Lachlan Urquhart at Nottingham University, the Privacy Ideation Cards are intended to "support designers dealing with privacy in their work by sensitising them to information privacy laws in a constructive way."
The Security Cards
Created by Tamara Denning, Batya Friedman, and Tadayoshi Kohno of the University of Washington, "The Security Cards encourage you to think broadly and creatively about computer security threats. Explore with 42 cards along 4 dimensions (suits): Human impact, adversary motivation, adversary resources and adversary methods."

Other Resources

ASE (neé 3GSE)
The Usenix Summit on Gaming, Games and Gamification in Security Education was first held in 2014, adjacent to Usenix Security. There were 12 papers and a panel. The papers are available from the website. There was a 2nd summit 3GSE 2015, and then the program was expanded to "Advances in Security Education."
Project Kidhack
In this presentation from BSides Delaware, Grecs presents an overview of online, CTF, and tabletop games, along with his own Project Kidhack on Slideshare.
Cards Against...
There are a variety of Mad Libs, Apples to Apples, or Cards Against Humanity style decks that have been printed, distributed or sold. Notable for the quality of the cards are "Hackers Against Humanity" and "Cards Against Vintage Security" distributed by JScrambler at RSA2019, with a form where you can request a copy of the 2nd edition.
52 Card Decks
A number of organizations have added educational content to standard 52 card decks, and suggested playing any game you would play with standard playing cards. They include: RedOwl "Learn how to REALLY see insider threats," and IT Governance, a UK company has definitions on one side, and a term on the other. (As of 2019, there are enough of these that it no longer makes sense to keep track.)
Scottish Workshop
Heriot-Watt University hosted a "Workshop on Serious Games for Cyber Security " May 21-22, 2019.

Security-themed Tabletop Games

These games have a security theme, but no explicit educational content.

Hacker
Created by Steve Jackson games after a raid by the Secret Service. Amazon
NetRunner
I haven't played NetRunner, but it's for sale at Amazon. Note that NetRunner is by Richard Garfield who designed Magic: The Gathering and other collectable card games, and is of a similar level of complexity. [BoardGameGeek description for NetRunner] [BoardGameGeek description for Andriod: Netrunner] (Thanks to Ted Ipsen for the pointer)

About this page

Page maintained by Adam Shostack. Reach out on Linkedin or tweet @adamshostack to get things added. Rough criteria: a name, a web page, educational content of some form, and rules for play. Excluded: games where software is required.

Changelog:
  • May 28, 2018: Added privacy section, the privacy board game and a set of criteria.
  • May 28: Added Neosens, aka Dungeons, Dragons and Security.
  • June 8: Added the Agile App Security game.
  • June 28: Added Emergynt Risk cards.
  • Nov 3: Added GAP password game, Project Config; Nov 5 updated links, description.
  • Dec 17: Added Pivots and Payloads
  • Jan 8, 2019: Added Hacker.
  • March 9: Added "the security cards" from UW, Privacy Ideation from Nottingham and Collect it all. Added section on non-game cards. Clarified scope to be about physical items. Compressed listing of 52-card decks. Added a section for "cards against...".
  • March 10: Added Design with Intent
  • April 7: Added White Box Essays & set.