Security is not a game. It just shares a lot in common with certain games. Oh Noes, as an incident response RPG, highlights that and makes great use of it.
I put a lot of my security knowledge down to being a heavy user of games. This includes both tabletop RPGs and board games. Social deduction and storytelling games provide practice dealing with people and presenting. Strategy games give a chance to spot and exploit system weaknesses. Others provide a myriad of other useful skills.
For another project for 2020 I’m going to pick out some which are directly or peripherally useful to a cyber security professional – whether for awareness building, threat modelling, or for useful skills development.
Oh Noes is probably one of the most directly related to security that I have come across, and I strongly recommend it. It’s also free, which is always helpful.
Inspired by a mix of classical tabletop RPGs and incident response exercises, Oh Noes! is a thin (but effective) layer of gamification over a tabletop incident response exercise. No matter how useful and enjoyable (at least I enjoy them) tabletop IR exercises are often seen as a tedious mandatory exercise rather than a chance to prepare and try out security. Wrapping a layer of gamification and entertainment around them is a good way to push engagement and more regular sessions. The game itself recommends quarterly rather than annual. With the right Incident Master and company culture regular Wednesday pizza and gaming sessions might happen.
At the very least it’s a new take on normal IR planning and is worth a shot. It’s published free by Expel, along with some handouts and a few scenarios to begin with. The first few sessions should be run by someone with a bit of experience running tabletop RPGs (as well as an understanding of IR and the company) to get the full experience.
Subjects: game, incident response, security, threat modeling, training