13

I am looking for table top or card games related to risk management or information security. A kind of "serious" game that can be used as a teaching tool of infosec/risk management.

I know only about Microsoft's Elevation of Privilege.

Konrads
  • 589
  • 1
  • 5
  • 15
  • I was actually about to recommend EoP when I saw the title... Didn't see that you already knew of it. – forest Aug 05 '19 at 07:18

7 Answers7

1

I haven't played anything like this myself, but I found this on Google: http://www.itgovernance.co.uk/products/3831 - Is this similar to what you are looking for?

Jonatan
  • 131
  • 3
  • Unfortunately, this is not what I was looking for. That card game is a regular playing cards with concepts printed on the back. – Konrads May 10 '12 at 08:49
  • this might be a bit off topic but I remember hearing a bout this and being intrigued: http://www.cbsnews.com/2100-501563_162-4930814.html basically what happens if that you get different teams in different rooms and each team can only see status of the others after the other team makes a move, teams can make as many moves as they like and it gets broadcast to the others and the resulting effects are evaluated. It was designed as a way of assessing the risk of non-lethal economic attacks (economic war game) on the US. interested me at the time. – Alex May 18 '12 at 00:10
  • 1
    FlipIt? http://www.rsa.com/rsalabs/node.asp?id=3911 – adric Aug 21 '12 at 15:07
1

How about hacker by Steve Jackson games?

http://www.sjgames.com/hacker/

I've used it for exactly what you are asking about.

Everett
  • 1,506
  • 1
  • 12
  • 20
1

http://www.controlalthack.com/

Pretty interesting game. I think a book would be a better teacher though.

ponsfonze
  • 1,332
  • 11
  • 13
  • 1
    Saw that one being presented at BlackHat. Looks quite interesting to break the basic concepts. – Konrads Aug 07 '12 at 14:03
1

There is a site you can use for team play (laptops,iPads,etc)

http://jeopardylabs.com/play/risk-management-jeopardy4

GT_Wrecked
  • 31
  • 2
0

Actually I think that classic "Risk" is a great example of Risk Management.

Think about it:

A: You are assessing vulnerabilities in your "system" and figure out all potentially threatening scenarios

B: Based on you assessment you are allocating security resources, while using risk management principles to make all decisions. (i.e. how many resources are needed for "full-proof" defense, what is an "acceptable" risk to take and etc)

C: The random/unexpected factors are represented by a dice and cards.

D: The Game Theory factors are also there; as there are different players involved, with intertwined different agendas.

No real connection to Info. Security but it's a Risk Management game thru-and-thru...

Igal Zeifman
  • 563
  • 3
  • 8
  • I disagree, I think it tends to be more about diplomacy, and who can take North America successfully (only 3 entrances to defend, but 5 bonus troops makes it by far the best). – rlms Apr 23 '15 at 21:11
0

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

Introduction The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when SAFECode published its Practical Security Stories and Security Tasks for Agile Development Environments in July 2012.

The Microsoft SDL team had already published its super Elevation of Privilege: The Threat Modeling Game (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was published under a Creative Commons Attribution License. Cornucopia Ecommerce Website Edition is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

https://www.owasp.org/index.php/OWASP_Cornucopia

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
-1

Adam Shostack has compiled an excellent list of these types of games here: https://adam.shostack.org/games.html

Ralph
  • 1
  • While true that this is a link-only answer, so are the rest of the answers to this question. Leaving this answer up as being consistent with the rest of the answers, but the question has been closed to prevent these types of answers. – schroeder Aug 05 '19 at 12:17