![Imp Decision Making Sheets [Web Workbook]
List of SO and SC with its Cost-Benefit & Time constraints.
List of mandatory SO for compliance audit success.
“SO.Im” Sheet
List of Threats and its Impact and Frequency.“Th.Im” Sheet
Calculation of threat exposure once a threat is realized
(that is picked by the threat wheel).“ThExp” Sheet](https://image.slidesharecdn.com/gamenarrative-180425133236/75/CyberstratG-Game-narrative-12-2048.jpg)
CyberstratG Game narrative
- 1. A Cyber-Strategy gamethat’s easy to play but difficult to master Developed by Sr CyberSecurity Consultant ‘Tabish Asifi’ (E: tabish@alhosninfosec.com; tabish.asifi@live.com | Tw: @tabish.asifi) www.cyberstratg.com
- 2. You are theproud owner of a $100 Million (Revenue) Company
- 3. Your Company is Exposedto Cyber Threats Just Like Any Other Company in the Market.
- 4. Which means yourbusiness is exposed to all the typical Cyber Threats, which are on the rise.
- 5. High Level Objectivesof this Game Minimize the negative impact of Cyber Threats to your business. 1 Maximize the coverage of mandatory Regulatory and Legal compliance. 2 Maximize the positive impact on business through achievement of security objectives. 3
- 6. Core Elements ofthe Game Overall Objective: Maximize the over all net revenue of your company over a 3 year span. Key Resources: The Information you need for decision making is provided in the web worksheet. Key Skills: Identify and analyse relevant information and take decisions in limited time.
- 7. Time at disposal •A total of 3 year to maximize your net revenue. • Each year is represented by 1 hour of gameplay. (Fast track- 20 min.) • Total of max 14 investment decisions per year is allowed. • Hence you essentially get 20 - 60 min per session, for making key decisions for your investments, in the right security control / capability.
- 8. Budget at disposal •Security Budget: 1% of revenue per year ie C$ 1 million. • Since typically 10% of business revenue is assigned to IT. • And typically 10% of IT budget goes into security.
- 9. Investment Cards • SO-Security Objectives (Red | Black) • SC- Security Capability These cards are purchased by the players every year for investment towards threat impact mitigation, regulatory compliance and business objectives attainment. A Maximum of 14 such cards can be bought in a year.
- 10. Wheels of Threat •A threat is randomly selected by the Spin Wheel. • The frequency of common cyber threat is given due weightage during the selection. • For this game, the list of threats used is from NESA IAS (& ADSIC) threat catalogue. • A maximum of 6 threats are selected every year.
- 11. Links between differentcomponents Actualized Threats impact negatively your revenue. Investment in SO (Security Objectives) and SC (Security Capability) neutralizes or minimizes the impact of these random ‘threat’ exposure. Non-Compliance found through random regulatory audit impacts negatively your revenue. Investment in all the mandatory SO (Red Cards) saves you from the negative impact. SO (Security Objective) achievement/ investment also impacts positively your revenue by supporting your Business Goals.
- 12. Imp Decision MakingSheets [Web Workbook] List of SO and SC with its Cost-Benefit & Time constraints. List of mandatory SO for compliance audit success. “SO.Im” Sheet List of Threats and its Impact and Frequency.“Th.Im” Sheet Calculation of threat exposure once a threat is realized (that is picked by the threat wheel).“ThExp” Sheet
- 13.
- 14.
- 15. Team Play Red Team Blue Team Green Team Team NameRED BLUE GREEN Typical Mix CEO/CFO/MD/Board Legal/Audit/Compliance COO/CIO/CISO Perspectives Business Audit Operational Member no Members list below Members list below Members list below 1 2 3 4 5 Compete against each other # Recommended: 5 members for each team and each team brings a different and unique perspective to the gameplay.
- 16.
- 17.