(Full disclosure, clever title, but not mine)
One of the challenges for the Chief Security Officer is convincing his or her executives of the unpredictable and potentially catastrophic nature of cyber attacks directed against the organization. The rules are constantly changing and many attacks are invisible to the CSO until some real damage has already occurred. During the PwC analyst day in Boston on Oct 28, I participated in a "gamified" demonstration of an experience that simulated a cyber attack, with one participant playing the role of the hacker, and the other, me in this case, responding as the CSO. The demonstration was eye-opening, and made the normally conceptual event more real and thought-provoking.
The battle against cyber crime ostensibly takes place mostly on paper and in the meeting rooms of the executive suite. The CSO, in an effort to protect the institution, uses limited resources, knowledge of the industry, and - many times, intuition - to battle a collective foe that is completely invisible and whose motives are unknown. The real back and forth conflict takes place in cyberspace, over days, months, and years, as each side tries to outwit the other by directing resources to the war, and responding to the opponent's offensive and defensive tactics.
This is exactly how the folks at PwC saw it when they developed a demonstration they call Game of Threats that looks like the war room from Dr. Strangelove. In the demonstration, two participants battle head-to-head in a simulation of a drawn-out cyber war. Each participant is given a game tablet, which presents the views, resources, and options the respective opponents see and play. As CSO, I could see my total available resources - essentially dollars that I could allocate based on the value of those resources if I chose to deploy them - news feeds that simulated events that broke into the public arena and options I could play based on previous decisions and available next moves. All options were categorized as either "Prevent," "Detect," "Respond," or "Recover."
If you've ever played Magic: The Gathering, you'll understand the mechanics here. In turn, each player pays for and uses a resource to attack or defend against the other player. The hacker can buy software to create an exploit, invest in zombie servers to aid in a DDoS attack, hire minions to intensify the attack, etc. As the CSO, I could proactively purchase and deploy anti-virus software, hire security experts, implement network monitoring tools, or react to breaches and attacks by contracting with PR firms, shutting systems down, and so on. Typically, the simulation begins with the hacker "playing a card" while the CSO player watches the room-size collection of screens for public impact, available responses, and more importantly, the score.
The score is based on the value of damage or repair caused by each action taken by the players. A needle on a prominent round display on the screens moves around a zero point, going positive when the CSO's response has kept the organization safe, and moving to the negative side as the hacker inflicted more damage.
The folks at PwC told me that these simulations rarely reach the 12th round before the CSO loses. In a few cases, the good guy even wins. But the impact of playing the game is clearly the helpless feeling one gets as the hacker is able to overcome most, if not all, of the defenses available to the CSO, particularly since much of the game is played blind where the CSO does not see exactly what the hacker has done to affect the organization. The only element missing from the simulation, and one that is just as real as any of the aspects of the game, are the options an organization might have when they've lost; from marketing and public relations responses, to the efforts and costs of cleaning up the mess afterwards. The thinking here is that this topic, what to do once all hell breaks loose, is better done as a discussion rather than part of the game itself. This makes sense as the simulation is focused on initiating and fostering frank conversations.
The point here is for non-security execs to understand, at a very visceral level, the challenges of battling cyber crime. Once the novelty of the game has worn off - usually after the needle has been in the red for a few moves - the CSO player feels the urgency of needing to play exactly the right cards, deploying exactly the right resources (and wishing they had more), to combat the bad guy. This is the kind of tool that can force the discussion about the strategies and appropriate levels of investment it takes to treat the issue of cyber crime seriously. In the financial services industry, I would recommend that execs from the boardroom to the lines of business experience this "game" to understand how real the threat is.
By the way, I got to the 11th round, but even with some coaching, I lost too.