whitehat

Industry Activities

Using games at work can be a great way to overcome uncomfortable relationships between security and other functions, but it is not without risk. The general value proposition is that a game is more fun than a typical meeting at which requirements are piled on by security, and that fun serves two purposes: first, it encourages attendance, and second, it opens the door to discussion in the context of a game. The general risk is that games are not serious, and some fraction of your audience will be resistant to games at work.

Below are some ways to use games at work. The list is not comprehensive, if you find others, please let us know!

  • Security awareness training. If you have a requirement to have a security awareness training, why not make it fun? Play Control-Alt-Hack™ for an hour, and use the appropriate cards as part of your debrief at the end to bring home the lessons of spear phishing, dumpster diving, or whatever learning goals your awareness training has this year.

    • Overcoming objections: "People ignore those CBTs, why not try this as a way of training?" "We can have a sign-out sheet to ensure people stay"

  • Security project buy-in: invite your developers for an after-hours session of Control-Alt-Hack™, and use it to discuss issues in the context of your project. For example, if you're worried about X, ensure that card Y is in place (see tactics below).

    • Overcoming objections: If a project is already late and over budget, that may be a bad time to introduce a game, or try to add security requirements. Try to bring a game in early in a project's lifecycle.

  • Exploring security concerns: Sometimes, there may be someone worried about security, having trouble putting their finger on what the concern is. Playing a game will put people in a more creative mood, where they can have a more open discussion of what the concerns may be.

  • Loan out copies for people to take home

  • Leave copies in the lunch room

  • Bring some copies to Happy Hour / TGIF

  • Play the game at retreats

  • Use the game as a team-building activity

Tactics for ensuring impact

  • Stack the deck: Hey, it's for a good cause, right? If you want to stack the deck, aim for having the important cards a bit of a ways in. They shouldn't be so high in the deck that players can't get into the spirit of the game, or so deep that you might miss them. It might be easier to appear to shuffle if you have two card decks, and swap them.

  • Don't yank people out of the mood. They're having a good time, let them have a good time. Sometimes you can have a bit of a serious discussion, other times, you’ll want to bring the card you want to discuss to them later.

General tactics for overcoming objections

  • "What have we got to lose?"

  • "It’s only an hour"

  • Food & Drink: Bring in pizza or other 'party' food along with beverages that comply with your corporate policies on such things. (If meetings with beer are not a regular occurance, be sensitive to religious objections, or folks who may be recovering from alcoholism.)

The pyramid logo is a registered trademark of Steve Jackson Games Incorporated, used under license by University of Washington. All rights reserved. Game mechanics based on the game Ninja Burger, copyright © 2009 by Steve Jackson Games; used under license.

Copyright © 2012 University of Washington. All rights reserved. "Control-Alt-Hack" and the logo are Trademarks of the University of Washington.