Security Games & Resources

This page is a set of pointers for games in security. It started as a list of tabletop games that I'm aware of that touch on information security, and has expanded.

Security Games

The games here range from actionable (Elevation of Privilege, which actively helps you threat model) to educational (Control Alt Hack) to classroom activity to spur conversation.

Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS) and developed by Tammy Denning, Yoshi Kohno and Adam Shostack. [BoardGameGeek description]
Cryptomancer RPG
Cryptomancer is a full on role-playing game with a 432-page hardbound/PDF rulebook. To quote, "Cryptomancer is a tabletop role-playing game made for hackers, by hackers. It features an original fantasy setting and gameplay informed by diverse security disciplines. Players assume the role of characters on the run from a shadowy organization that rules the world through mass surveillance, propaganda, and political coercion."

Cyber Threat Defender
Cyber Threat Defender (CTD) is a multi-player collectible card game designed to teach essential cybersecurity information and strategies. CTD is an easy-to-play, engaging game regardless of skill level. Players must protect themselves from attacks while building robust networks in order to become a true Cyber Threat Defender! Cyber Threat Defender decks can be sponsored for classrooms across the nation or purchased for individual gameplay. You can buy cards here.
[d0x3d!] is an open-source board game designed to engage a diverse student body to network security terminology, attack & defend mechanics, and basic security constructs. Its mechanics feature cooperative play, set collection, variable player powers in an action-point allowance system, and a modular board that simulates a network topology. [d0x3d!] was created by Zachary Peterson and Mark Gondree, and inspired by Forbidden Island, created by Matt Leacock and published by Gamewright. Learn more about [D0x3d!] here. [BoardGameGeek description]
Elevation of Privilege: the Threat Modeling Game
Adam Shostack developed Elevation of Privilege as the easy way to get started threat modeling. You can download a copy from the official page at Microsoft, and there's a blog post with the announcement. There are two main presentations; my Black Hat talk "The easy way to get started threat modeling" covers some of why the game works. There's a longer academic paper presented at 3GSE "Drawing Developers into Threat Modeling." There's more, including translations and online versions at the threat modeling book website resources page.

Created by Core Impact, and based on Emiliano Sciarra's BANG! I am not aware of online info on Exploit! [BoardGameGeek search]
Operation Digital Chameleon
Red and blue teams develop attack and defense strategies to explore IT-Security of Critical Infrastructures as part of a 2 day IT-Security training. The purpose of the game is to raise IT-Security Awareness for IT-Security Professionals and IT-Professionals like CERT-Teams, CIOs, Risk Managers, Administrators. Developed by Andreas Rieb. See Operation Digital Chameleon: Towards an Open Cybersecurity Method (paywall), and Wie IT-Security Matchplays als Awarenessmaßnahme die IT-Sicherheit verbessern können.
OWASP Cornucopia
Quoting their page: "OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic....The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories."
Protection Poker
Created by Laurie Williams. A tutorial is at Protection Poker Tutorial, and that page has additional links.
Created by Cody Wamsley at Cybersponse to teach STIX concepts
"Social Engineering Requirements Game"
Created by Kristian Beckers and Sebastian Pape. A Serious Game for Eliciting Social Engineering Security Requirements. (The game does not have an obvious name.) handouts and cards
Created by Zikai Alex Wen, Yiming Li, Reid Wade, Jeffery Huang and Amy Wang at Cornell to teach phishing. Paper " What.Hack: Learn Phishing Email Defence the Fun Way" CHI 2017, (paywalled, try Sci-hub). The game is available online, whatdothack and requires webgl.

Other Resources

ASE (neé 3GSE)
The Usenix Summit on Gaming, Games and Gamification in Security Education was first held in 2014, adjacent to Usenix Security. There were 12 papers and a panel. The papers are available from the website. There was a 2nd summit 3GSE 2015, and then the program was expanded to "Advances in Security Education."
Project Kidhack
In this presentation from BSides Delaware, Grecs presents an overview of online, CTF, and tabletop games, along with his own Project Kidhack on Slideshare.

52 Card Decks

A number of organizations have added educational content to a 52 card deck. They include:

  • RedOwl "Learn how to REALLY see insider threats."
  • IT Governance, a UK company has definitions on one side, and a term on the other.

Games with a security theme

These games have a security theme, but no explicit educational content.

Created by Steve Jackson games after a raid by the Secret Service. Amazon
I haven't played NetRunner, but it's for sale at Amazon. Note that NetRunner is by Richard Garfield who designed Magic: The Gathering and other collectable card games, and is of a similar level of complexity. [BoardGameGeek description for NetRunner] [BoardGameGeek description for Andriod: Netrunner] (Thanks to Ted Ipsen for the pointer)

Page maintained by Adam Shostack. Reach out on Linkedin or tweet @adamshostack to get things added.