Incidents make you realize how truly unprepared you are. Most of the computer-based security awareness training that I have used in the past 10 years has been dry. About 2 years ago, I discovered an older Black Hat 2016 conference talk by Tiphane Romand-Latapie titled “Dungeons, Dragons & Security” . I then thought about incidents that I lived through and applied this method to a short-form table top exercise
My version of the original Black hat game: There are 2 teams. Good people and bad people. A priceless diamond is located on the seventh floor of a 14 story building. Bad people try to steal the diamond, good people try to keep it safe. Each team makes one move at a time, bad people go first. Play for 10 minutes then debrief with the master of ceremonies. Unlimited funds, only the laws of physics apply.
This works because there is no real security training needed to play. Innovative and creative ideas flow quickly. Both players and people watching learn. A guided conversation debrief after each round allows the master of ceremonies to discuss ways current security posture would or can apply, and why it is important.
The next evolution of the game was to define characters. I chose to define CEO, CFO, COO, CIO, CISO, Chief Marketing Officer, and Bad Actor.
I then replaced the diamond scenario with 8 real world incidents that I have lived through as an engineer, a mid level leader, and an executive.
I asked tech resources to play executive roles. I asked executives to change roles. Each time I played the game, it was fun, the participants learned something new, and empathy for each other was created.
Result, more awareness and a fun day.
How do you make incident management training fun, educational, and memorable in your organization?
Join Cyber Job Central today to see more articles about cybersecurity training.