Tabletop Security Games + Cards
Games teach. Games provide engagement and repetition, which help people learn. Many people have crafted games with explicit security learning goals. These are ‘serious games,’ or ‘games with a purpose.’ There have been academic workshops with a focus on using games to enhance learning. There’s now multiple companies bringing security tabletops to business, including HackBack Gaming and The Long Game Project.
If you are considering creating a game, I recommend two resources. They are Your Turn! by Scott Rogers (my review) and The White Box: Game Design Workshop In a Box. The only downside is that ‘White box’ name is not optimized for searching on Amazon. Here’s the boxed set, here’s the kindle version of the book. (My review.)
This page started as a list of tabletop games that touch on information security. It has evolved to be scoped to physical things: discussion-prompting cards are included, software, including CTFs, are excluded. I’m not aware of an attempt to catalog software games with a security teaching goal.
Security Games (Educational)
The word ”educational” means the game has an explicit learning goal. Contrast with NetRunner (below), which is a complex strategy game set in a cyber-world, but makes no attempt towards realism. The games here range from actionable (Elevation of Privilege, which actively helps you threat model) to educational (Control Alt Hack) to classroom activity to spur conversation.
- The Agile App Security Game
- Created by people in Security Lancaster to cover app programming and project management, the game has players take on the role of product managers for a secure app product. Players select from a variety of choices which security functionality to implement and find out if their choices foil the attacks. The game requires a coordinator, and needs cards printed out and cut out in advance. Blog post has links to the full game with instructions and cards.
- Backdoors and Breaches
- Backdoors and Breaches is an incident response card game, from Black Hills Information Security, launche in September 2019. As of 2022, there's a core, an expansion and an ICS/OT version, done in collaboration with Dragos. backdoorsandbreaches.com
- Byte Club
- By Michael Novack, “You are hackers in a cybersecurity capture the flag competition. Master cyber attacks and defence to win. This game references real world concepts about cybersecurity, being Cyberkill chain and NIST cybersecurity framework. The audience for this game is for a technical and non-technical audience to learn together. The learning goal is for anyone to understand the fundamentals of cybersecurity activities so they can understand any cyber event/news. Instead of reading the news with mystery and fear they can have understanding and empowerment.” Game site or purchase at Agile Stationery.
- CIST: A Serious Game for Hardware Supply Chain
- ”Gamification is an alternative to teaching engineers threats using threat models and trying to keep up to date with new threats. Playing a serious game based on the IC hardware supply chain allows players to take control of self-learning and build knowledge through experiences in the gameplay. This paper propose CIST: A serious game for hardware supply chain, designed for hardware security and uses a threat model called CIST, designed to overcome the different requirements for hardware threats and gaps in current generic security threat models. The CIST game covers hardware-related risks through the complete IC life cycle from design, manufacturing, using the IC within a system and finally, recycling the ICs.” Paper at ScienceDirect. (Paywalled.)
- Collect It All
- The CIA's Collection Deck game, made available via Diegetic Games. Designed by David Clopper, and actually used for training at the CIA.
- Control-Alt-Hack
- Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS) and developed by Tammy Denning, Yoshi Kohno and Adam Shostack. [BoardGameGeek description]
- Cumulus
- Cumulus, a cloud-oriented version of EoP by a team at TNG Technology Consulting.
- Crypto Go
- Crypto Go is an educational card game designed to teach up to date symmetric cryptography. Crypto Go is designed to engage players with symmetric cryptography, and teach them about the correct usage and security level of symmetric tools. It makes players aware of the ephemeral nature of security levels and standards, and stimulates them to learn more about real-world cryptography. (En Español)
- Cryptomancer RPG
- Cryptomancer is a full on role-playing game with a 432-page hardbound/PDF rulebook. To quote, "Cryptomancer is a tabletop role-playing game made for hackers, by hackers. It features an original fantasy setting and gameplay informed by diverse security disciplines. Players assume the role of characters on the run from a shadowy organization that rules the world through mass surveillance, propaganda, and political coercion."
- Cyber Attack!
- Cyber Attack! is “a real-world gamified training platform for teams to practice defending against cyber attacks!” by Code Talkers Engineering. Three card decks in a package with rules. You can see and buy cards here.
- Cyber Threat Defender
- Cyber Threat Defender (CTD) is a multi-player collectible card game designed to teach essential cybersecurity information and strategies. CTD is an easy-to-play, engaging game regardless of skill level. Players must protect themselves from attacks while building robust networks in order to become a true Cyber Threat Defender! Cyber Threat Defender decks can be sponsored for classrooms across the nation or purchased for individual gameplay. You can see and buy cards here.
- Data Breach (two games)
- One was ”created by game designers Mariana Cacique, Sydney Rubin,
and Karter Duff, Data Breach is a hidden identity game where
you have to protect your personal data! Made as a Rhetorical
Expression game for the Design of Interactive Media course at
USC, this game expresses the value of caution: Pay attention
to your surrounding and keep your cards close to heart.” Buy
it at GameCrafter.
The second “is a game to create awareness around the risk of sensitive data loss through an understanding of impacts, threats and vulnerabilities. This edition has been aligned with the Vocabulary for Event Recording and Incident Sharing (VERIS).” Also at GameCrafter. - Data Heist
- Data Heist claims to be “the first game in the world that teaches cyber hygiene in a fun and engaging way.” Quoting further, “The game is a bit of an anti-thesis where players play the role of an amateur hacker. The aim of the game is for players to “steal” as much data as they can from unsuspecting victims in the marketplace (and there are many even in real life) using three of the most common forms of attacks that usually result in data loss.” The Game site includes descrptions, videos, ad other support tools. Also available via Agile Stationery
- Decisions & Disruptions
- Decisions & Disruptions is a tabletop/role-playing game about security in industrial control systems. D-D players are challenged with managing the security of a small utility company: they are given a budget that they can spend among a range of different defensive options. By Drs Ben Shreeve and Awais Rashid. Game site includes Legos, cards, and rulebook and several papers.
- [D0x3d!]
- [d0x3d!] is an open-source board game designed to engage a diverse student body to network security terminology, attack & defend mechanics, and basic security constructs. Its mechanics feature cooperative play, set collection, variable player powers in an action-point allowance system, and a modular board that simulates a network topology. [d0x3d!] was created by Zachary Peterson and Mark Gondree, and inspired by Forbidden Island, created by Matt Leacock and published by Gamewright. Learn more about [D0x3d!] here. [BoardGameGeek description]
- Dungeons and Data
- Presented at RSA 2018, this blog post and linked files explain a D&D style tabletop by Josh Bressers
- Elevation of Privilege: the Threat Modeling Game
- Adam Shostack developed Elevation of Privilege as the easy way to get started threat modeling. You can buy a copy from Agile Stationery, download a copy from the Github repo. There are two main presentations; a Black Hat talk “The easy way to get started threat modeling” covers some of why the game works and an academic paper presented at 3GSE, “Drawing Developers into Threat Modeling.” Variants, extensions, translations and online versions are covered in the Elevation of Privilege page.
- Emergynt Risk
- "The Emergynt Risk Deck is a teaching and modeling tool developed by our RiskLabs Division to easily demonstrate the power of our scenario-analysis approach. Use it to speed up table-top exercises or illustrate the vast risk universe of your digitally-enabled organization to your executive leadership."
- Enter The Spudnet
- "A board game on cybersecurity and computer networking, We mashed potatoes (pun intended) and networking concepts into this cyber-fueled board game for ages 10 and up to learn about networking and cybersecurity concepts - all without computers! This board game is designed for 3-6 players and is perfect for gamers, parents and educators alike." Learn more at potatopirates.game. They also have a Boardgame Geek page.
- Exploit!
- Created by Core Impact, and based on Emiliano Sciarra’s BANG! I am not aware of online info on Exploit! [BoardGameGeek search]
- Exploited in the Wild
- Created by Wiz, and ‘for sale’ at CISOTopia. The rules. (Apparently part of an April Fools joke, but there’s rules which might be playable.)
- GAP
- GAP, a game for Improving Awareness About Passwords is a paper that “explores the potential of serious games to educate users about various features that negatively impact password security. Specifically, we designed a web-based casual game called GAP and assessed its impact by conducting a comparative user study with 119 participants. The study results show that participants who played GAP demonstrated improved performance in recognizing insecure password features than participants who did not play GAP. Besides having educational value, most of the participants also found GAP fun to play.” (Paywalled)
- Hack Attack
- SANS Hack Attack was a skinning of Exploding Kittens with security content. directions. Download is missing as of March, 2020, if you have a copy please share.
- Hack on Hackers
- Created by Yini Huang as part of her 20017 Masters project at the University of Edinburgh's School of Informatics, Hack on Hackers is intended for students who are currently taking a computer security course and want a good way to review common computer security material in a fun way.
- Hacker
- ”Can you outsmart cybercriminals? Defend the world from cybercriminals by joining the white hat hacker team Oblivion! Play the role of a coder, hacker, and security engineer in 40 beginner to expert challenges. Program your agents to collect data chips while avoiding viruses and alarms. As you discover how a hacker can damage your programs, you will learn how to secure them from future attacks! Each of the 40 challenges includes three phases of play for a total of 120 coding puzzles. Teaches: CONCURRENCY and SECURITY MINDSET” Thinkfun or Amazon. (Not to be confused with the 1992 Steve Jackson game of the same name.)
- NeoSens
- NeoSens is a Dungeons and Dragons style game, presented by Tiphaine Romand-Latapie at Blackhat 2016: "a new way to train a neophyte audience to the basic principles of Computer Security. The training is developed around a role playing game consisting in attacking and defending a building. A debriefing is done after the game to highlight all the similarities between the game and computer security stakes." "The NeoSens Training Method: Computer SecurityAwareness for a Neophyte Audience" (paper) and presentation, "Dungeons, Dragons & Security
- Oh Noes!
- "Oh Noes! is a role-playing game -- modeled after many great role playing games such as D&D and Stars Without Number -- designed to help you and your organization become better prepared to respond to cybersecurity incidents." Designed by Bruce Potter and Robert Potter. Creative-Commons Attribution licensed. Starter kit is at Oh Noes! A new approach to IR tabletop exercises.
- Operation Digital Chameleon
- Red and blue teams develop attack and defense strategies to explore IT-Security of Critical Infrastructures as part of a 2 day IT-Security training. The purpose of the game is to raise IT-Security Awareness for IT-Security Professionals and IT-Professionals like CERT-Teams, CIOs, Risk Managers, Administrators. Developed by Andreas Rieb. See Operation Digital Chameleon: Towards an Open Cybersecurity Method (paywall), and Wie IT-Security Matchplays als Awarenessmaßnahme die IT-Sicherheit verbessern können.
- OWASP Cornucopia
- Quoting their page: "OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories." There’s also Cornucopia Digital Benefits and Disbenefits, focused on e-government services, “Follow the instructions to help clean and neutralise threats to claimants, reducing blood, sweat and tears.”
- OWASP Cumulus
- OWASP Cumulus is a cloud-oriented version of EoP by a team at TNG Technology Consulting, and includes a remote version.
- PeriHack
- "A board game prototype to learn about cybersecurity. PeriHack is a 2 players turn-based game where one attacker (red team) tries to find and exploit a vulnerability in the defender’s (blue team) network." There’s a paper and the game is available (CC-BY-SA-NC) from their github
- Phreaker Life
- Phreaker life was created by David Schwartberg for CypherCon 3.0, and is a deck bulding card trading game, according to Boardgame Geek. The game has a site at phreaker.life. Physical copies are available from Hack4Kidz.
- Pivots and Payloads
- Created by Jason Blanchard, Ed Skoudis, and Mick Douglas. "The board game takes you through pen test methodology, tactics, and tools with many possible setbacks that defenders can utilize to hinder forward progress for a pen tester or attacker." (announcement and webinar.)
- Project Config
- "A two players board game that utilizes cybersecurity as its base for game mechanics and assign players with “attacker” and “defender” roles in order to experience a cybersecurity- related scenario." website
- Protection Poker
- Created by Laurie Williams. A tutorial is at Protection Poker Tutorial, and that page has additional links.
- Riskio
- Created by Stephen Hart at the University of Southhampton, and designed for 3-5 non-technical players, Riskio is a tabletop game to increase cyber security awareness for people with no-technical background working in organisations. Riskio provides an active learning environment where players build knowledge on cyber security attacks and defences by playing both the role of the attacker and the defender of critical assets in a fictitious organisation. The game is played by a maximum of 5 players under the direction of a game master. There’s an academic paper, Riskio: A Serious Game for Cyber Security Awareness and Education.
- StixITS
- Created by Cody Wamsley at Cybersponse to teach STIX concepts
- "Social Engineering Requirements Game"
- Created by Kristian Beckers and Sebastian Pape. A Serious Game for Eliciting Social Engineering Security Requirements. (The game does not have an obvious name.) handouts and cards
- What.Hack
- Created by Zikai Alex Wen, Yiming Li, Reid Wade, Jeffery Huang and Amy Wang at Cornell to teach phishing. Paper " What.Hack: Learn Phishing Email Defence the Fun Way" CHI 2017, (paywalled). The game is available online, whatdothack and requires webgl.
Privacy Games
- The Game for Privacy
- IT Digital created Privacy Board Game has been created to explore and analyze everyday situations on the Internet and learn how to navigate safely using good online security and privacy practices, built towards an open, offline, extensible and board game. (Discussion in this post.)
Non-Game Decks
- Design With Intent Toolkit
- Created by Dan Lockton of Requisite Variety, the Design With Intent Toolkit has cards in eight suits (called lenses): architecture, errorproofing, interaction, ludic, perceptual, cognitive, Machiavellian, and security. The entire set is viewable on the site (a frequently overlooked need), and the Machiavellian lens has an interesting overlap with security.
- Privacy Ideation Cards
- Created by Lachlan Urquhart at Nottingham University, the Privacy Ideation Cards are intended to "support designers dealing with privacy in their work by sensitising them to information privacy laws in a constructive way."
- The Security Cards
- Created by Tamara Denning, Batya Friedman, and Tadayoshi Kohno of the University of Washington, "The Security Cards encourage you to think broadly and creatively about computer security threats. Explore with 42 cards along 4 dimensions (suits): Human impact, adversary motivation, adversary resources and adversary methods."
Security-themed Tabletop Games
These games have a security theme, but no explicit educational content.
- Blackhat
- Is a trick-taking game with a board to advance through. The cards and board are themed with solid security content, and the game could be used to drive conversations. Amazon, [BoardGameGeek description]
- Hacker
- Created by Steve Jackson games after a raid by the Secret Service. Amazon, [BoardGameGeek description]
- NetRunner
- I haven’t played NetRunner, but it’s for sale at Amazon. Note that NetRunner is by Richard Garfield who designed Magic: The Gathering and other collectable card games, and is of a similar level of complexity. [BoardGameGeek description for NetRunner] [BoardGameGeek description for Andriod: Netrunner] (Thanks to Ted Ipsen for the pointer)
Other Resources
- ASE (neé 3GSE) Workshops
- The Usenix Summit on Gaming, Games and Gamification in Security Education was first held in 2014, adjacent to Usenix Security. There were 12 papers and a panel. The papers are available from the website. There was a 2nd summit 3GSE 2015, and then the program was expanded to "Advances in Security Education."
- Project Kidhack
- In this presentation from BSides Delaware, Grecs presents an overview of online, CTF, and tabletop games, along with his own Project Kidhack on Slideshare.
- Cards Against...
- There are a variety of Mad Libs, Apples to Apples, or
Cards Against Humanity style decks that have been printed,
distributed or sold. Notable for the quality of the content
are
- Hackers Against Humanity
- Cards Against Vintage Security distributed by JScrambler at RSA2019, with a form where you can request a copy of the 2nd edition
- SemGrep’s Cards Against AppSec
- bspk.io have four sets of Cards against Identity
- Less focused on security content is Bedlam
- Card Decks
-
- Many organizations have added educational content to standard 52 card decks, and suggested playing any game you would play with standard playing cards. Examples include: RedOwl’s "Learn how to REALLY see insider threats," and IT Governance, a UK company has definitions on one side, and a term on the other. (As of 2019, there are enough of these that it no longer makes sense to keep track.)
- AppSecGames has created Attackers and Friends, which is a terminology matching game.
- Chris Jay Hoofnagle of Berkeley has a "Denialists’ Deck of Cards: An Illustrated Taxonomy of Rhetoric Used to Frustrate Consumer Protection Efforts," which has both text on cards an an explanatory paper.
- Other Workshops and notable papers
-
- Heriot-Watt University hosted a "Workshop on Serious Games for Cyber Security" May 21-22, 2019.
- Leah Zhang-Kennedy and Sonia Chiasson have a paper, A Systematic Review of Multimedia Tools for Cybersecurity Awareness and Education. Their focus is multi-media tools rather than physical ones.
- The TULiPS lab at the University of Edinburgh has created several games, including computer and tabletop, and maintains a list that encompasses their games and others.