Tabletop Security Games + Cards

 

Games teach. Games provide engagement and repetition, which help people learn. Many people have crafted games with explicit security learning goals. These are ‘serious games,’ or ‘games with a purpose.’ There have been academic workshops with a focus on using games to enhance learning. There’s now a small consultancy, HackBack Gaming, that’s exploring bringing games to business.

This page started as a list of tabletop games that touch on information security. It has evolved to be scoped to physical things: discussion-prompting cards are included, software, including CTFs, are excluded. I’m not aware of an attempt to catalog software games with a security teaching goal.

If you are considering creating a game, I cannot recommend The White Box: Game Design Workshop In a Box highly enough. The only downside is that that name is not optimized for searching on Amazon: here’s the boxed set, here’s the kindle version of the book. (And my review.)

 

Security Games (Educational)

The word ”educational” means the game has an explicit learning goal. Contrast with NetRunner (below), which is a complex strategy game set in a cyber-world, but makes no attempt towards realism. The games here range from actionable (Elevation of Privilege, which actively helps you threat model) to educational (Control Alt Hack) to classroom activity to spur conversation.

part of Adam’s game collection, including
     Backdoors and Breaches, Cards against Vintage Security, Control alt hack,  Core Impact,
     Cornucopoa, several Evalevation of Privilege variants, Lindun Go,
     and more. There is also a prototype privacy game, a Shmooball and
     more.
The Agile App Security Game
Created by people in Security Lancaster to cover app programming and project management, the game has players take on the role of product managers for a secure app product. Players select from a variety of choices which security functionality to implement and find out if their choices foil the attacks. The game requires a coordinator, and needs cards printed out and cut out in advance. Blog post has links to the full game with instructions and cards.
Backdoors and Breaches
Backdoors and Breaches is an incident response card game, from Black Hills Information Security, launche in September 2019. As of 2022, there's a core, an expansion and an ICS/OT version, done in collaboration with Dragos. backdoorsandbreaches.com
CIST: A Serious Game for Hardware Supply Chain
”Gamification is an alternative to teaching engineers threats using threat models and trying to keep up to date with new threats. Playing a serious game based on the IC hardware supply chain allows players to take control of self-learning and build knowledge through experiences in the gameplay. This paper propose CIST: A serious game for hardware supply chain, designed for hardware security and uses a threat model called CIST, designed to overcome the different requirements for hardware threats and gaps in current generic security threat models. The CIST game covers hardware-related risks through the complete IC life cycle from design, manufacturing, using the IC within a system and finally, recycling the ICs.” Paper at ScienceDirect. (Paywalled.)
Collect It All
The CIA's Collection Deck game, made available via Diegetic Games. Designed by David Clopper, and actually used for training at the CIA.
Control-Alt-Hack
Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS) and developed by Tammy Denning, Yoshi Kohno and Adam Shostack. [BoardGameGeek description]
Cumulus
Cumulus, a cloud-oriented version of EoP by a team at TNG Technology Consulting.
Crypto Go
Crypto Go is an educational card game designed to teach up to date symmetric cryptography. Crypto Go is designed to engage players with symmetric cryptography, and teach them about the correct usage and security level of symmetric tools. It makes players aware of the ephemeral nature of security levels and standards, and stimulates them to learn more about real-world cryptography. (En Español)
Cryptomancer RPG
Cryptomancer is a full on role-playing game with a 432-page hardbound/PDF rulebook. To quote, "Cryptomancer is a tabletop role-playing game made for hackers, by hackers. It features an original fantasy setting and gameplay informed by diverse security disciplines. Players assume the role of characters on the run from a shadowy organization that rules the world through mass surveillance, propaganda, and political coercion."
Cyber Attack!
Cyber Attack! is “a real-world gamified training platform for teams to practice defending against cyber attacks!” by Code Talkers Engineering. Three card decks in a package with rules. You can see and buy cards here.
Cyber Threat Defender
Cyber Threat Defender (CTD) is a multi-player collectible card game designed to teach essential cybersecurity information and strategies. CTD is an easy-to-play, engaging game regardless of skill level. Players must protect themselves from attacks while building robust networks in order to become a true Cyber Threat Defender! Cyber Threat Defender decks can be sponsored for classrooms across the nation or purchased for individual gameplay. You can see and buy cards here.
Data Heist
Data Heist claims to be “the first game in the world that teaches cyber hygiene in a fun and engaging way.” Quoting further, “The game is a bit of an anti-thesis where players play the role of an amateur hacker. The aim of the game is for players to “steal” as much data as they can from unsuspecting victims in the marketplace (and there are many even in real life) using three of the most common forms of attacks that usually result in data loss.” The Game site includes descrptions, videos, ad other support tools. Also available via Agile Stationery
Decisions & Disruptions
Decisions & Disruptions is a tabletop/role-playing game about security in industrial control systems. D-D players are challenged with managing the security of a small utility company: they are given a budget that they can spend among a range of different defensive options. By Drs Ben Shreeve and Awais Rashid. Game site includes Legos, cards, and rulebook and several papers.
[D0x3d!]
[d0x3d!] is an open-source board game designed to engage a diverse student body to network security terminology, attack & defend mechanics, and basic security constructs. Its mechanics feature cooperative play, set collection, variable player powers in an action-point allowance system, and a modular board that simulates a network topology. [d0x3d!] was created by Zachary Peterson and Mark Gondree, and inspired by Forbidden Island, created by Matt Leacock and published by Gamewright. Learn more about [D0x3d!] here. [BoardGameGeek description]
Dungeons and Data
Presented at RSA 2018, this blog post and linked files explain a D&D style tabletop by Josh Bressers
Elevation of Privilege: the Threat Modeling Game
Adam Shostack developed Elevation of Privilege as the easy way to get started threat modeling. You can buy a copy from our partner Agile Stationery, download a copy from the Github repo and there's a blog post with the announcement. There are two main presentations; my Black Hat talk "The easy way to get started threat modeling" covers some of why the game works. There’s a longer academic paper presented at 3GSE "Drawing Developers into Threat Modeling." There’s more, including privacy extensions, translations and online versions at the game resource page.
Emergynt Risk
"The Emergynt Risk Deck is a teaching and modeling tool developed by our RiskLabs Division to easily demonstrate the power of our scenario-analysis approach. Use it to speed up table-top exercises or illustrate the vast risk universe of your digitally-enabled organization to your executive leadership."
Enter The Spudnet
"A board game on cybersecurity and computer networking, We mashed potatoes (pun intended) and networking concepts into this cyber-fueled board game for ages 10 and up to learn about networking and cybersecurity concepts - all without computers! This board game is designed for 3-6 players and is perfect for gamers, parents and educators alike." Learn more at potatopirates.game. They also have a Boardgame Geek page.
Exploit!
Created by Core Impact, and based on Emiliano Sciarra’s BANG! I am not aware of online info on Exploit! [BoardGameGeek search]
Exploited in the Wild
Created by Wiz, and ‘for sale’ at CISOTopia. The rules. (Apparently part of an April Fools joke, but there’s rules which might be playable.)
GAP
GAP, a game for Improving Awareness About Passwords is a paper that “explores the potential of serious games to educate users about various features that negatively impact password security. Specifically, we designed a web-based casual game called GAP and assessed its impact by conducting a comparative user study with 119 participants. The study results show that participants who played GAP demonstrated improved performance in recognizing insecure password features than participants who did not play GAP. Besides having educational value, most of the participants also found GAP fun to play.” (Paywalled)
Hack Attack
SANS Hack Attack was a skinning of Exploding Kittens with security content. directions. Download is missing as of March, 2020, if you have a copy please share.
Hacker
”Can you outsmart cybercriminals? Defend the world from cybercriminals by joining the white hat hacker team Oblivion! Play the role of a coder, hacker, and security engineer in 40 beginner to expert challenges. Program your agents to collect data chips while avoiding viruses and alarms. As you discover how a hacker can damage your programs, you will learn how to secure them from future attacks! Each of the 40 challenges includes three phases of play for a total of 120 coding puzzles. Teaches: CONCURRENCY and SECURITY MINDSET” Thinkfun or Amazon. (Not to be confused with the 1992 Steve Jackson game of the same name.)
NeoSens
NeoSens is a Dungeons and Dragons style game, presented by Tiphaine Romand-Latapie at Blackhat 2016: "a new way to train a neophyte audience to the basic principles of Computer Security. The training is developed around a role playing game consisting in attacking and defending a building. A debriefing is done after the game to highlight all the similarities between the game and computer security stakes." "The NeoSens Training Method: Computer SecurityAwareness for a Neophyte Audience" (paper) and presentation, "Dungeons, Dragons & Security
Oh Noes!
"Oh Noes! is a role-playing game -- modeled after many great role playing games such as D&D and Stars Without Number -- designed to help you and your organization become better prepared to respond to cybersecurity incidents." Designed by Bruce Potter and Robert Potter. Creative-Commons Attribution licensed. Starter kit is at Oh Noes! A new approach to IR tabletop exercises.
Operation Digital Chameleon
Red and blue teams develop attack and defense strategies to explore IT-Security of Critical Infrastructures as part of a 2 day IT-Security training. The purpose of the game is to raise IT-Security Awareness for IT-Security Professionals and IT-Professionals like CERT-Teams, CIOs, Risk Managers, Administrators. Developed by Andreas Rieb. See Operation Digital Chameleon: Towards an Open Cybersecurity Method (paywall), and Wie IT-Security Matchplays als Awarenessmaßnahme die IT-Sicherheit verbessern können.
OWASP Cornucopia
Quoting their page: "OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories."
OWASP Cumulus
OWASP Cumulus is a cloud-oriented version of EoP by a team at TNG Technology Consulting, and includes a remote version.
PeriHack
"A board game prototype to learn about cybersecurity. PeriHack is a 2 players turn-based game where one attacker (red team) tries to find and exploit a vulnerability in the defender’s (blue team) network." There’s a paper and the game is available (CC-BY-SA-NC) from their github
Phreaker Life
Phreaker life was created by David Schwartberg for CypherCon 3.0, and is a deck bulding card trading game, according to Boardgame Geek. The game has a site at phreaker.life. Physical copies are available from Hack4Kidz.
Pivots and Payloads
Created by Jason Blanchard, Ed Skoudis, and Mick Douglas. "The board game takes you through pen test methodology, tactics, and tools with many possible setbacks that defenders can utilize to hinder forward progress for a pen tester or attacker." (announcement and webinar.)
Project Config
"A two players board game that utilizes cybersecurity as its base for game mechanics and assign players with “attacker” and “defender” roles in order to experience a cybersecurity- related scenario." website
Protection Poker
Created by Laurie Williams. A tutorial is at Protection Poker Tutorial, and that page has additional links.
Riskio
Created by Stephen Hart at the University of Southhampton, and designed for 3-5 non-technical players, Riskio is a tabletop game to increase cyber security awareness for people with no-technical background working in organisations. Riskio provides an active learning environment where players build knowledge on cyber security attacks and defences by playing both the role of the attacker and the defender of critical assets in a fictitious organisation. The game is played by a maximum of 5 players under the direction of a game master. There’s an academic paper, Riskio: A Serious Game for Cyber Security Awareness and Education.
StixITS
Created by Cody Wamsley at Cybersponse to teach STIX concepts
"Social Engineering Requirements Game"
Created by Kristian Beckers and Sebastian Pape. A Serious Game for Eliciting Social Engineering Security Requirements. (The game does not have an obvious name.) handouts and cards
What.Hack
Created by Zikai Alex Wen, Yiming Li, Reid Wade, Jeffery Huang and Amy Wang at Cornell to teach phishing. Paper " What.Hack: Learn Phishing Email Defence the Fun Way" CHI 2017, (paywalled). The game is available online, whatdothack and requires webgl.
 

Privacy Games

The Game for Privacy
IT Digital created Privacy Board Game has been created to explore and analyze everyday situations on the Internet and learn how to navigate safely using good online security and privacy practices, built towards an open, offline, extensible and board game. (Discussion in this post.)
 

Non-Game Decks

Design With Intent Toolkit
Created by Dan Lockton of Requisite Variety, the Design With Intent Toolkit has cards in eight suits (called lenses): architecture, errorproofing, interaction, ludic, perceptual, cognitive, Machiavellian, and security. The entire set is viewable on the site (a frequently overlooked need), and the Machiavellian lens has an interesting overlap with security.
Privacy Ideation Cards
Created by Lachlan Urquhart at Nottingham University, the Privacy Ideation Cards are intended to "support designers dealing with privacy in their work by sensitising them to information privacy laws in a constructive way."
The Security Cards
Created by Tamara Denning, Batya Friedman, and Tadayoshi Kohno of the University of Washington, "The Security Cards encourage you to think broadly and creatively about computer security threats. Explore with 42 cards along 4 dimensions (suits): Human impact, adversary motivation, adversary resources and adversary methods."
 

Security-themed Tabletop Games

These games have a security theme, but no explicit educational content.

Blackhat
Is a trick-taking game with a board to advance through. The cards and board are themed with solid security content, and the game could be used to drive conversations. Amazon, [BoardGameGeek description]
Hacker
Created by Steve Jackson games after a raid by the Secret Service. Amazon, [BoardGameGeek description]
NetRunner
I haven’t played NetRunner, but it’s for sale at Amazon. Note that NetRunner is by Richard Garfield who designed Magic: The Gathering and other collectable card games, and is of a similar level of complexity. [BoardGameGeek description for NetRunner] [BoardGameGeek description for Andriod: Netrunner] (Thanks to Ted Ipsen for the pointer)
 

Other Resources

ASE (neé 3GSE) Workshops
The Usenix Summit on Gaming, Games and Gamification in Security Education was first held in 2014, adjacent to Usenix Security. There were 12 papers and a panel. The papers are available from the website. There was a 2nd summit 3GSE 2015, and then the program was expanded to "Advances in Security Education."
Project Kidhack
In this presentation from BSides Delaware, Grecs presents an overview of online, CTF, and tabletop games, along with his own Project Kidhack on Slideshare.
Cards Against...
There are a variety of Mad Libs, Apples to Apples, or Cards Against Humanity style decks that have been printed, distributed or sold. Notable for the quality of the content are "Hackers Against Humanity" and "Cards Against Vintage Security" distributed by JScrambler at RSA2019, with a form where you can request a copy of the 2nd edition.
Card Decks
Other Workshops and notable papers