Security Games & Resources

This page is a set of pointers for games in security. It started as a list of tabletop games that I'm aware of that touch on information security, and has expanded.

Security Games

The games here range from actionable (Elevation of Privilege, which actively helps you threat model) to educational (Control Alt Hack) to classroom activity to spur conversation.

The Agile App Security Game
Created by people in Security Lancaster to cover app programming and project management, the game has players take on the role of product managers for a secure app product. Players select from a variety of choices which security functionality to implement and find out if their choices foil the attacks. The game requires a coordinator, and needs cards printed out and cut out in advance. Blog post has links to the full game with instructions and cards.
Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS) and developed by Tammy Denning, Yoshi Kohno and Adam Shostack. [BoardGameGeek description]
Cryptomancer RPG
Cryptomancer is a full on role-playing game with a 432-page hardbound/PDF rulebook. To quote, "Cryptomancer is a tabletop role-playing game made for hackers, by hackers. It features an original fantasy setting and gameplay informed by diverse security disciplines. Players assume the role of characters on the run from a shadowy organization that rules the world through mass surveillance, propaganda, and political coercion."

Cyber Threat Defender
Cyber Threat Defender (CTD) is a multi-player collectible card game designed to teach essential cybersecurity information and strategies. CTD is an easy-to-play, engaging game regardless of skill level. Players must protect themselves from attacks while building robust networks in order to become a true Cyber Threat Defender! Cyber Threat Defender decks can be sponsored for classrooms across the nation or purchased for individual gameplay. You can buy cards here.
[d0x3d!] is an open-source board game designed to engage a diverse student body to network security terminology, attack & defend mechanics, and basic security constructs. Its mechanics feature cooperative play, set collection, variable player powers in an action-point allowance system, and a modular board that simulates a network topology. [d0x3d!] was created by Zachary Peterson and Mark Gondree, and inspired by Forbidden Island, created by Matt Leacock and published by Gamewright. Learn more about [D0x3d!] here. [BoardGameGeek description]
Elevation of Privilege: the Threat Modeling Game
Adam Shostack developed Elevation of Privilege as the easy way to get started threat modeling. You can download a copy from the official page at Microsoft, and there's a blog post with the announcement. There are two main presentations; my Black Hat talk "The easy way to get started threat modeling" covers some of why the game works. There's a longer academic paper presented at 3GSE "Drawing Developers into Threat Modeling." There's more, including translations and online versions at the threat modeling book website resources page.

Emergynt Risk
"The Emergynt Risk Deck is a teaching and modeling tool developed by our RiskLabs Division to easily demonstrate the power of our scenario-analysis approach. Use it to speed up table-top exercises or illustrate the vast risk universe of your digitally-enabled organization to your executive leadership."
Created by Core Impact, and based on Emiliano Sciarra's BANG! I am not aware of online info on Exploit! [BoardGameGeek search]
"GAP, a game for Improving Awareness About Passwords" is a paper that "explores the potential of serious games to educate users about various features that negatively impact password security. Specifically, we designed a web-based casual game called GAP and assessed its impact by conducting a comparative user study with 119 participants. The study results show that participants who played GAP demonstrated improved performance in recognizing insecure password features than participants who did not play GAP. Besides having educational value, most of the participants also found GAP fun to play." (Paywalled)
NeoSens is a Dungeons and Dragons style game, presented by Tiphaine Romand-Latapie at Blackhat 2016: "a new way to train a neophyte audience to the basic principles of Computer Security. The training is developed around a role playing game consisting in attacking and defending a building. A debriefing is done after the game to highlight all the similarities between the game and computer security stakes." "The NeoSens Training Method: Computer SecurityAwareness for a Neophyte Audience" (paper) and presentation, "Dungeons, Dragons & Security
Operation Digital Chameleon
Red and blue teams develop attack and defense strategies to explore IT-Security of Critical Infrastructures as part of a 2 day IT-Security training. The purpose of the game is to raise IT-Security Awareness for IT-Security Professionals and IT-Professionals like CERT-Teams, CIOs, Risk Managers, Administrators. Developed by Andreas Rieb. See Operation Digital Chameleon: Towards an Open Cybersecurity Method (paywall), and Wie IT-Security Matchplays als Awarenessmaßnahme die IT-Sicherheit verbessern können.
OWASP Cornucopia
Quoting their page: "OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic....The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories."
Project Config
"A two players board game that utilizes cybersecurity as its base for game mechanics and assign players with “attacker” and “defender” roles in order to experience a cybersecurity- related scenario." website
Protection Poker
Created by Laurie Williams. A tutorial is at Protection Poker Tutorial, and that page has additional links.
Created by Cody Wamsley at Cybersponse to teach STIX concepts
"Social Engineering Requirements Game"
Created by Kristian Beckers and Sebastian Pape. A Serious Game for Eliciting Social Engineering Security Requirements. (The game does not have an obvious name.) handouts and cards
Created by Zikai Alex Wen, Yiming Li, Reid Wade, Jeffery Huang and Amy Wang at Cornell to teach phishing. Paper " What.Hack: Learn Phishing Email Defence the Fun Way" CHI 2017, (paywalled, try Sci-hub). The game is available online, whatdothack and requires webgl.

Privacy Games

The Game for Privacy
The Privacy Board Game has been created to explore and analyze everyday situations on the Internet and learn how to navigate safely using good online security and privacy practices, built towards an open, offline, extensible and board game. (Discussion in this post.)

Other Resources

ASE (neé 3GSE)
The Usenix Summit on Gaming, Games and Gamification in Security Education was first held in 2014, adjacent to Usenix Security. There were 12 papers and a panel. The papers are available from the website. There was a 2nd summit 3GSE 2015, and then the program was expanded to "Advances in Security Education."
Project Kidhack
In this presentation from BSides Delaware, Grecs presents an overview of online, CTF, and tabletop games, along with his own Project Kidhack on Slideshare.

52 Card Decks

A number of organizations have added educational content to a 52 card deck. They include:

  • RedOwl "Learn how to REALLY see insider threats."
  • IT Governance, a UK company has definitions on one side, and a term on the other.

Games with a security theme

These games have a security theme, but no explicit educational content.

Created by Steve Jackson games after a raid by the Secret Service. Amazon
I haven't played NetRunner, but it's for sale at Amazon. Note that NetRunner is by Richard Garfield who designed Magic: The Gathering and other collectable card games, and is of a similar level of complexity. [BoardGameGeek description for NetRunner] [BoardGameGeek description for Andriod: Netrunner] (Thanks to Ted Ipsen for the pointer)

Page maintained by Adam Shostack. Reach out on Linkedin or tweet @adamshostack to get things added. Rough criteria: a name, a web page, educational content of some form, and rules for play. Excluded: flash-driven web games.

  • May 28, 2018: Added privacy section, the privacy board game and a set of criteria.
  • May 28: Added Neosens, aka Dungeons, Dragons and Security.
  • June 8: Added the Agile App Security game.
  • June 28: Added Emergynt Risk cards.
  • Nov 3: Added GAP password game, Project Config; Nov 5 updated links, description.