The game of cyber strategy that's easy to play and difficult to master.

1. A Cyber-Strategy game that’s easy to play but difficult to master
Developed by Sr CyberSecurity Consultant ‘Tabish Asifi’ (E: tabish@alhosninfosec.com; tabish.asifi@live.com | Tw: @tabish.asifi)
www.cyberstratg.com

2. You are the proud owner of a
$100 Million (Revenue)
Company

3. Your Company is
Exposed to Cyber
Threats Just Like Any
Other Company in the
Market.

4. Which means your business is
exposed to all the typical Cyber
Threats, which are on the rise.

5. High Level Objectives of this Game
Minimize the negative
impact of Cyber Threats to
your business.
1
Maximize the coverage of
mandatory Regulatory and
Legal compliance.
2
Maximize the positive
impact on business
through achievement of
security objectives.
3

6. Core Elements of the Game
Overall Objective: Maximize the over all net
revenue of your company over a 3 year span.
Key Resources: The Information you need for
decision making is provided in the web worksheet.
Key Skills: Identify and analyse relevant information
and take decisions in limited time.

7. Time at disposal
• A total of 3 year to maximize your
net revenue.
• Each year is represented by 1 hour
of gameplay. (Fast track- 20 min.)
• Total of max 14 investment
decisions per year is allowed.
• Hence you essentially get 20 - 60
min per session, for making key
decisions for your investments, in
the right security control /
capability.

8. Budget at disposal
• Security Budget: 1% of revenue per
year ie C$ 1 million.
• Since typically 10% of business revenue
is assigned to IT.
• And typically 10% of IT budget goes
into security.

9. Investment Cards
• SO- Security Objectives (Red | Black)
• SC- Security Capability
These cards are purchased by the
players every year for investment
towards threat impact mitigation,
regulatory compliance and
business objectives attainment.
A Maximum of 14 such cards can
be bought in a year.

10. Wheels of Threat
• A threat is randomly selected
by the Spin Wheel.
• The frequency of common
cyber threat is given due
weightage during the
selection.
• For this game, the list of
threats used is from NESA IAS
(& ADSIC) threat catalogue.
• A maximum of 6 threats are
selected every year.

11. Links between different components
Actualized Threats impact
negatively your revenue.
Investment in SO (Security
Objectives) and SC (Security
Capability) neutralizes or
minimizes the impact of
these random ‘threat’
exposure.
Non-Compliance found
through random regulatory
audit impacts negatively
your revenue. Investment in
all the mandatory SO (Red
Cards) saves you from the
negative impact.
SO (Security Objective)
achievement/ investment
also impacts positively your
revenue by supporting your
Business Goals.

12. Imp Decision Making Sheets [Web Workbook]
List of SO and SC with its Cost-Benefit & Time constraints.
List of mandatory SO for compliance audit success.
“SO.Im” Sheet
List of Threats and its Impact and Frequency.“Th.Im” Sheet
Calculation of threat exposure once a threat is realized
(that is picked by the threat wheel).“ThExp” Sheet

13. Players Gameboard
& Working sheets

14. Typical Gameplay Sequence

15. Team Play
Red
Team
Blue
Team
Green
Team
Team Name RED BLUE GREEN
Typical Mix CEO/CFO/MD/Board Legal/Audit/Compliance COO/CIO/CISO
Perspectives Business Audit Operational
Member no Members list below Members list below Members list below
1
2
3
4
5
Compete against each other # Recommended: 5 members for each team and each team brings a
different and unique perspective to the gameplay.

16. Identifying a
successful
outcome
The green team wins!

17. Lets Play www.cyberstratg.com