Security Games & Resources
This page is a set of pointers for games in security. It started
as a list of tabletop games that I'm aware of that touch on
information security, and has expanded.
The games here range from actionable
(Elevation of Privilege, which actively helps you threat model) to
educational (Control Alt Hack) to classroom activity to spur conversation.
- Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS) and developed by Tammy Denning, Yoshi Kohno and Adam Shostack. [BoardGameGeek description]
- Cryptomancer RPG
Cryptomancer is a full on
role-playing game with a 432-page hardbound/PDF rulebook. To quote,
"Cryptomancer is a tabletop role-playing game made for hackers, by
hackers. It features an original fantasy setting and gameplay informed
by diverse security disciplines. Players assume the role of characters
on the run from a shadowy organization that rules the world through
mass surveillance, propaganda, and political coercion."
- Cyber Threat Defender
Cyber Threat Defender (CTD) is a multi-player collectible card game designed to teach essential cybersecurity information and strategies. CTD is an
easy-to-play, engaging game regardless of skill level. Players must protect themselves from attacks while building robust networks in order to become
a true Cyber Threat Defender! Cyber Threat Defender decks can be sponsored for classrooms across the nation or purchased for individual gameplay. You can buy cards here.
[d0x3d!] is an open-source board game designed to engage a diverse
student body to network security terminology, attack & defend
mechanics, and basic security constructs. Its mechanics feature
cooperative play, set collection, variable player powers in an
action-point allowance system, and a modular board that simulates a
network topology. [d0x3d!] was created by Zachary Peterson and Mark
Gondree, and inspired by Forbidden Island, created by Matt Leacock and
published by Gamewright. Learn more about [D0x3d!] here. [BoardGameGeek description]
- Elevation of Privilege: the Threat Modeling
- Adam Shostack developed Elevation of
Privilege as the easy way to get started threat modeling. You can
download a copy from
page at Microsoft, and there's a blog post with
There are two main presentations; my Black Hat talk
easy way to get started threat modeling" covers some of why the
game works. There's a longer academic
Developers into Threat Modeling." There's more, including
translations and online versions at
the threat modeling book
by Core Impact, and based on Emiliano Sciarra's BANG! I am not aware
of online info on Exploit! [BoardGameGeek search]
- OWASP Cornucopia
- Quoting their page: "OWASP Cornucopia is a
mechanism in the form of a card game to assist software development
teams identify security requirements in Agile, conventional and
formal development processes. It is language, platform and
technology agnostic....The idea behind Cornucopia is to help
development teams, especially those using Agile methodologies, to
identify application security requirements and develop
security-based user stories."
- Protection Poker
by Laurie Williams. A tutorial is at Protection
Poker Tutorial, and that page has additional links.
- Created by
Cody Wamsley at Cybersponse to teach STIX concepts
- "Social Engineering Requirements Game"
- Created by
Kristian Beckers and Sebastian Pape. A Serious Game for Eliciting Social Engineering
Security Requirements. (The game does not have an obvious name.) handouts and cards
- ASE (neé 3GSE)
- The Usenix Summit on Gaming, Games and
Gamification in Security Education was first held in 2014, adjacent to
Usenix Security. There were 12 papers and a panel. The papers
are available from
There was a 2nd summit 3GSE
2015, and then the program was expanded to "Advances in Security Education."
- In this presentation from
BSides Delaware, Grecs presents an overview of online, CTF, and
tabletop games, along with his own Project
Kidhack on Slideshare.
52 Card Decks
A number of organizations have added educational content to a 52 card deck. They include:
- RedOwl "Learn how to REALLY see insider threats."
- IT Governance, a UK company has definitions on one side, and a term on the other.
Games with a security theme
These games have a security theme, but no explicit educational content.
by Steve Jackson games after a raid by the Secret Service. Amazon
haven't played NetRunner, but it's for sale at Amazon.
Note that NetRunner is by Richard
Garfield who designed Magic: The Gathering and other collectable
card games, and is of a similar level of complexity.
description for NetRunner] [BoardGameGeek
description for Andriod: Netrunner] (Thanks to Ted Ipsen for the pointer)
Page maintained by Adam Shostack. Reach out on Linkedin or tweet @adamshostack to get things added.