SlideShare a Scribd company logo

Gamification of Tabletop Exercises

Download as PPTX, PDF
Kelly Ohlert
Kelly Ohlert

Playing D&D for Fun and Security! Slides from my July 31, 2021 2021 BSidesLV Proving Ground talk.

Technology
1 of 23
GAMIFICATION OF TABLETOP EXERCISES Playing D&D For Fun And Security Kelly Ohlert @gwyddia
WHAT IS A KELLY OHLERT? • Risk Advisor at Leviathan Security Group • Tabletop Roleplayer and Scenario Designer • Lawyer (Nacho Lawyer) since 2005 • @gwyddia
WHAT IS THIS TALK ABOUT? • What is a traditional tabletop exercise (TTX?) • What is a tabletop game (TTRPG?) • How do they compare? • Why are TTRPGs more interesting? • How can we use TTRPGs to improve information retention and security?
tabletop exercise [ˈteɪbəlˌtɑpˈɛksɚˌsaɪz] (noun) A discussion-based session where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation.1 tabletop game [ˈteɪbəlˌtɑpˈɡeɪm] (noun) A group experience designed to get participants to solve problems by together in an immersive setting. 1 https://www.ready.gov/exercises. Last accessed 7July 2021.
Traditional tabletop exercises (TTX) have serious flaws. Tabletop roleplaying games (TTRPG) are fun. Why are TTRPGs fun? Why do we care? How can you use this information to improve your existence?
EXERCISES ARE KIND OF A BIG DEAL • Traditional exercises are designed to test people or processes before the worst happens • Widely used to meet compliance requirements • Can be extremely detailed simulations
BUT THEY’RE NOT THAT GREAT ACTUALLY • Often more about checking off boxes than exploring possibilities • Can be stressful for the players because they fear “failing” • Rarely use dice
TABLETOP GAMES ARE PRETTY GREAT • Designed to entertain by making people work together to solve problems • Encourage novel solutions and welcome failure • Are more suspenseful than stressful • Often use dice
Almost all creativity involves purposeful play. – Abraham Maslow
WELCOME TO FUZZBUTS V. FUZZBUTTS1 • Fuzzbuts.com is an up-and-coming cat picture aggregator site. Their Deep Purring algorithm harnesses the ability of real cats to hate each other to allow for excellent feline sorting. • Security budget of yes. • CEO who likes to go rogue. 1 Not a typo.
COMMON ISSUE#1: NONE OF THESE PEOPLE HAVE EVER BEEN IN THE SAME ROOM
SOLUTION: CHARACTER CLASSES Billie Kottur Class: C-suite Abilities: Budget of Yes Social Media Credentials Minotaur Security Class: Security Team Abilities: Eager Pentesters License to Kill Fuzzbutts.com Class: Direct Competitor Abilities: Trade Secrets I Just Hate You So Much!
COMMON ISSUE#2: ONE PERSON IS DOING ALL THE TALKING
SOLUTION: KILL OFF THEIR CHARACTER
COMMON ISSUE #3: EVERYONE IS HALF ASLEEP
SOLUTION: ARIZONA BAY SCENARIO
Learning needs to have taken place at the conclusion of a learning journey. - Rudland, J.R., Golding, C., & Wilkinson, T.J. (2019).
• If you like this, what can you do? • If you’re in charge of running these things, steal a few ideas and spice it up. • If you have to do these things, and you can, rock the boat during the exercise.
RESOURCES • Backdoors and Breaches (BHIS) https://www.blackhillsinfosec.com/projects/backdoorsandbreaches/ • Oh Noes! (Bruce and Robert Potter – expel) https://info.expel.io/oh-noes • Adam Shostack https://adam.shostack.org/games.html • Me @gwyddia on Twitter
REFERENCES • Operation CyberStorm https://www.cisa.gov/cyber-storm-2020 • Department of Homeland Security https://www.ready.gov/exercises • Maslow, A. H. (1943). A theory of human motivation. Psychological Review, 50(4), 370–396. https://doi.org/10.1037/h0054346 • Rudland, J.R., Golding, C., & Wilkinson, T.J. (2019). The stress paradox: how stress can be good for learning. Medical Education, 54(1), 41-45. https://onlinelibrary.wiley.com/doi/full/10.1111/medu.13830 • Wallace, Jennifer. “Why It’s Good for Grownups to Go Play” The Washington Post 20 May 2017: n. pag. Washingtonpost.com. Web. 23 June 2021 https://www.washingtonpost.com/national/health- science/why-its-good-for-grown-ups-to-go-play/2017/05/19/99810292-fd1f-11e6-8ebe- 6e0dbe4f2bca_story.html

Recommended

Alphorm.com Formation Logpoint SIEM: Le guide complet
Alphorm.com Formation Logpoint SIEM: Le guide completAlphorm.com Formation Logpoint SIEM: Le guide complet
Alphorm.com Formation Logpoint SIEM: Le guide completAlphorm
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Rootkit
RootkitRootkit
Rootkittech2click
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation toolsBangladesh Network Operators Group
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 

Recommended

Alphorm.com Formation Logpoint SIEM: Le guide complet
Alphorm.com Formation Logpoint SIEM: Le guide completAlphorm.com Formation Logpoint SIEM: Le guide complet
Alphorm.com Formation Logpoint SIEM: Le guide completAlphorm
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
Rootkit
RootkitRootkit
Rootkittech2click
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation toolsBangladesh Network Operators Group
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Netapp snapmirror unified_replication_v1.2-lab_guide
Netapp snapmirror unified_replication_v1.2-lab_guideNetapp snapmirror unified_replication_v1.2-lab_guide
Netapp snapmirror unified_replication_v1.2-lab_guideVikas Sharma
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingAPNIC
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Building converged plantwide ethernet architectures
Building converged plantwide ethernet architecturesBuilding converged plantwide ethernet architectures
Building converged plantwide ethernet architecturesIntelligentManufacturingInstitute
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Comment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsComment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsDavid Maillard
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Gadgets, Games and Gizmos for Learning: Teach on the Beach
Gadgets, Games and Gizmos for Learning: Teach on the BeachGadgets, Games and Gizmos for Learning: Teach on the Beach
Gadgets, Games and Gizmos for Learning: Teach on the BeachKarl Kapp
 
Modelling "Effects" in Simulation and Training.
Modelling "Effects" in Simulation and Training.Modelling "Effects" in Simulation and Training.
Modelling "Effects" in Simulation and Training.Tom Mouat
 

More Related Content

What's hot

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Netapp snapmirror unified_replication_v1.2-lab_guide
Netapp snapmirror unified_replication_v1.2-lab_guideNetapp snapmirror unified_replication_v1.2-lab_guide
Netapp snapmirror unified_replication_v1.2-lab_guideVikas Sharma
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingAPNIC
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Comment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsComment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsDavid Maillard
 

What's hot (20)

When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Netapp snapmirror unified_replication_v1.2-lab_guide
Netapp snapmirror unified_replication_v1.2-lab_guideNetapp snapmirror unified_replication_v1.2-lab_guide
Netapp snapmirror unified_replication_v1.2-lab_guide
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto Jacking
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering Stage
 
Building converged plantwide ethernet architectures
Building converged plantwide ethernet architecturesBuilding converged plantwide ethernet architectures
Building converged plantwide ethernet architectures
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Comment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #SuccèsComment réussir un projet de supervision de sécurité #SIEM #Succès
Comment réussir un projet de supervision de sécurité #SIEM #Succès
 
NMAP
NMAPNMAP
NMAP
 

Similar to Gamification of Tabletop Exercises

Gadgets, Games and Gizmos for Learning: Teach on the Beach
Gadgets, Games and Gizmos for Learning: Teach on the BeachGadgets, Games and Gizmos for Learning: Teach on the Beach
Gadgets, Games and Gizmos for Learning: Teach on the BeachKarl Kapp
 
Modelling "Effects" in Simulation and Training.
Modelling "Effects" in Simulation and Training.Modelling "Effects" in Simulation and Training.
Modelling "Effects" in Simulation and Training.Tom Mouat
 
Achieving Collective Intelligence: A Thinker's Guide on Why We Need to Think ...
Achieving Collective Intelligence: A Thinker's Guide on Why We Need to Think ...Achieving Collective Intelligence: A Thinker's Guide on Why We Need to Think ...
Achieving Collective Intelligence: A Thinker's Guide on Why We Need to Think ...Eugene Kim
 
Gamified Education Workshop (Octalysis) in SIngapore
Gamified Education Workshop (Octalysis) in SIngaporeGamified Education Workshop (Octalysis) in SIngapore
Gamified Education Workshop (Octalysis) in SIngaporeYu-kai Chou
 
Bus475.Nov09.2
Bus475.Nov09.2Bus475.Nov09.2
Bus475.Nov09.2Lawrence
 
Learning is The Constraint
Learning is The ConstraintLearning is The Constraint
Learning is The Constrainttroytuttle
 
Reading, Writing, Technology and Young Learners
Reading, Writing, Technology and Young LearnersReading, Writing, Technology and Young Learners
Reading, Writing, Technology and Young LearnersGayle Berthiaume
 
Crowdsourced keynote: co-creating learning
Crowdsourced keynote: co-creating learningCrowdsourced keynote: co-creating learning
Crowdsourced keynote: co-creating learningJisc
 
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)Elizabeth Ayer
 
Learning Technology
Learning TechnologyLearning Technology
Learning TechnologyKarl Kapp
 
Key Competencies In E Learning
Key Competencies In E LearningKey Competencies In E Learning
Key Competencies In E Learningwaverdier1
 
Gamification lecture for #BR4041UL
Gamification lecture for #BR4041ULGamification lecture for #BR4041UL
Gamification lecture for #BR4041ULGeraldine Exton
 
GDC Taipei 2013: Creating International Hits from China
GDC Taipei 2013: Creating International Hits from ChinaGDC Taipei 2013: Creating International Hits from China
GDC Taipei 2013: Creating International Hits from ChinaCharlie Moseley
 
5 Realities of 21st Century Living
5 Realities of 21st Century Living5 Realities of 21st Century Living
5 Realities of 21st Century LivingMichael Greene
 
A survival guide for UX in complex environments
A survival guide for UX in complex environmentsA survival guide for UX in complex environments
A survival guide for UX in complex environmentsPaula de Matos
 
Designing for behaviour change
Designing for behaviour changeDesigning for behaviour change
Designing for behaviour changePhil Barrett
 
Enterprise SEO and AI - Houston IMA Interactive Strategies 17
Enterprise SEO and AI - Houston IMA Interactive Strategies 17Enterprise SEO and AI - Houston IMA Interactive Strategies 17
Enterprise SEO and AI - Houston IMA Interactive Strategies 17Keith Goode
 
Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsEC-Council
 

Similar to Gamification of Tabletop Exercises (20)

Gadgets, Games and Gizmos for Learning: Teach on the Beach
Gadgets, Games and Gizmos for Learning: Teach on the BeachGadgets, Games and Gizmos for Learning: Teach on the Beach
Gadgets, Games and Gizmos for Learning: Teach on the Beach
 
Modelling "Effects" in Simulation and Training.
Modelling "Effects" in Simulation and Training.Modelling "Effects" in Simulation and Training.
Modelling "Effects" in Simulation and Training.
 
Achieving Collective Intelligence: A Thinker's Guide on Why We Need to Think ...
Achieving Collective Intelligence: A Thinker's Guide on Why We Need to Think ...Achieving Collective Intelligence: A Thinker's Guide on Why We Need to Think ...
Achieving Collective Intelligence: A Thinker's Guide on Why We Need to Think ...
 
Gamified Education Workshop (Octalysis) in SIngapore
Gamified Education Workshop (Octalysis) in SIngaporeGamified Education Workshop (Octalysis) in SIngapore
Gamified Education Workshop (Octalysis) in SIngapore
 
Bus475.Nov09.2
Bus475.Nov09.2Bus475.Nov09.2
Bus475.Nov09.2
 
Learning is The Constraint
Learning is The ConstraintLearning is The Constraint
Learning is The Constraint
 
Reading, Writing, Technology and Young Learners
Reading, Writing, Technology and Young LearnersReading, Writing, Technology and Young Learners
Reading, Writing, Technology and Young Learners
 
Crowdsourced keynote: co-creating learning
Crowdsourced keynote: co-creating learningCrowdsourced keynote: co-creating learning
Crowdsourced keynote: co-creating learning
 
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
Agile Traps: Common practices that wreck teams (Lesbians Who Tech 2020)
 
Learning Technology
Learning TechnologyLearning Technology
Learning Technology
 
Key Competencies In E Learning
Key Competencies In E LearningKey Competencies In E Learning
Key Competencies In E Learning
 
Gamification lecture for #BR4041UL
Gamification lecture for #BR4041ULGamification lecture for #BR4041UL
Gamification lecture for #BR4041UL
 
GDC Taipei 2013: Creating International Hits from China
GDC Taipei 2013: Creating International Hits from ChinaGDC Taipei 2013: Creating International Hits from China
GDC Taipei 2013: Creating International Hits from China
 
082409 Gov Team First Day Freedom 50m
082409 Gov Team First Day Freedom 50m082409 Gov Team First Day Freedom 50m
082409 Gov Team First Day Freedom 50m
 
5 Realities of 21st Century Living
5 Realities of 21st Century Living5 Realities of 21st Century Living
5 Realities of 21st Century Living
 
A survival guide for UX in complex environments
A survival guide for UX in complex environmentsA survival guide for UX in complex environments
A survival guide for UX in complex environments
 
Designing for behaviour change
Designing for behaviour changeDesigning for behaviour change
Designing for behaviour change
 
Enterprise SEO and AI - Houston IMA Interactive Strategies 17
Enterprise SEO and AI - Houston IMA Interactive Strategies 17Enterprise SEO and AI - Houston IMA Interactive Strategies 17
Enterprise SEO and AI - Houston IMA Interactive Strategies 17
 
Launchstack Manifesto
Launchstack ManifestoLaunchstack Manifesto
Launchstack Manifesto
 
Red vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 yearsRed vs. Blue Why we’ve been getting it wrong for 25 years
Red vs. Blue Why we’ve been getting it wrong for 25 years
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Gamification of Tabletop Exercises

  • 1. GAMIFICATION OF TABLETOP EXERCISES Playing D&D For Fun And Security Kelly Ohlert @gwyddia
  • 2. WHAT IS A KELLY OHLERT? • Risk Advisor at Leviathan Security Group • Tabletop Roleplayer and Scenario Designer • Lawyer (Nacho Lawyer) since 2005 • @gwyddia
  • 3. WHAT IS THIS TALK ABOUT? • What is a traditional tabletop exercise (TTX?) • What is a tabletop game (TTRPG?) • How do they compare? • Why are TTRPGs more interesting? • How can we use TTRPGs to improve information retention and security?
  • 4. tabletop exercise [ˈteɪbəlˌtɑpˈɛksɚˌsaɪz] (noun) A discussion-based session where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation.1 tabletop game [ˈteɪbəlˌtɑpˈɡeɪm] (noun) A group experience designed to get participants to solve problems by together in an immersive setting. 1 https://www.ready.gov/exercises. Last accessed 7July 2021.
  • 5. Traditional tabletop exercises (TTX) have serious flaws. Tabletop roleplaying games (TTRPG) are fun. Why are TTRPGs fun? Why do we care? How can you use this information to improve your existence?
  • 6. EXERCISES ARE KIND OF A BIG DEAL • Traditional exercises are designed to test people or processes before the worst happens • Widely used to meet compliance requirements • Can be extremely detailed simulations
  • 7. BUT THEY’RE NOT THAT GREAT ACTUALLY • Often more about checking off boxes than exploring possibilities • Can be stressful for the players because they fear “failing” • Rarely use dice
  • 8.
  • 9. TABLETOP GAMES ARE PRETTY GREAT • Designed to entertain by making people work together to solve problems • Encourage novel solutions and welcome failure • Are more suspenseful than stressful • Often use dice
  • 10.
  • 11. Almost all creativity involves purposeful play. – Abraham Maslow
  • 12. WELCOME TO FUZZBUTS V. FUZZBUTTS1 • Fuzzbuts.com is an up-and-coming cat picture aggregator site. Their Deep Purring algorithm harnesses the ability of real cats to hate each other to allow for excellent feline sorting. • Security budget of yes. • CEO who likes to go rogue. 1 Not a typo.
  • 13. COMMON ISSUE#1: NONE OF THESE PEOPLE HAVE EVER BEEN IN THE SAME ROOM
  • 14. SOLUTION: CHARACTER CLASSES Billie Kottur Class: C-suite Abilities: Budget of Yes Social Media Credentials Minotaur Security Class: Security Team Abilities: Eager Pentesters License to Kill Fuzzbutts.com Class: Direct Competitor Abilities: Trade Secrets I Just Hate You So Much!
  • 15. COMMON ISSUE#2: ONE PERSON IS DOING ALL THE TALKING
  • 16. SOLUTION: KILL OFF THEIR CHARACTER
  • 19. Learning needs to have taken place at the conclusion of a learning journey. - Rudland, J.R., Golding, C., & Wilkinson, T.J. (2019).
  • 20. • If you like this, what can you do? • If you’re in charge of running these things, steal a few ideas and spice it up. • If you have to do these things, and you can, rock the boat during the exercise.
  • 21.
  • 22. RESOURCES • Backdoors and Breaches (BHIS) https://www.blackhillsinfosec.com/projects/backdoorsandbreaches/ • Oh Noes! (Bruce and Robert Potter – expel) https://info.expel.io/oh-noes • Adam Shostack https://adam.shostack.org/games.html • Me @gwyddia on Twitter
  • 23. REFERENCES • Operation CyberStorm https://www.cisa.gov/cyber-storm-2020 • Department of Homeland Security https://www.ready.gov/exercises • Maslow, A. H. (1943). A theory of human motivation. Psychological Review, 50(4), 370–396. https://doi.org/10.1037/h0054346 • Rudland, J.R., Golding, C., & Wilkinson, T.J. (2019). The stress paradox: how stress can be good for learning. Medical Education, 54(1), 41-45. https://onlinelibrary.wiley.com/doi/full/10.1111/medu.13830 • Wallace, Jennifer. “Why It’s Good for Grownups to Go Play” The Washington Post 20 May 2017: n. pag. Washingtonpost.com. Web. 23 June 2021 https://www.washingtonpost.com/national/health- science/why-its-good-for-grown-ups-to-go-play/2017/05/19/99810292-fd1f-11e6-8ebe- 6e0dbe4f2bca_story.html