In order to build and maintain secure computer systems, it is vital that Cyber Security is understood and acknowledged as a critical issue by all levels of an organisation. To improve the awareness and understanding of cyber security in executives it is important that they recognise the potential impact that modern cyber threats may have on their business.
Experts in the Cyber Technology Institute at De Montfort University have developed a scenario planning game – SCIPS – in which a geopolitical situation plays out over the course of a number of turns . The scenario requires executives to make a series of investment decisions based around the maintenance of a Critical National Infrastructure facility; an electric power generation plant.
Each participant takes on a predefined senior executive role, with the teams being required to balance a limited investment budget against competing market, corporate and personal priorities. Each turn requires a team decision, this involves selecting from a range of potential security measures that may be implemented and also which budget will fund these measures.
The game has been designed to encourage discussion within the teams, with all actions having potential benefits but a reduction in any budget leads to a negative financial situation for at least one player.
As the game progresses, the actions taken by players can mitigate the impact of malicious actions upon their company, which in turn impacts upon the share price of the company.
Success in the game is based upon the financial status of the company at the end of the game, with the CEO of the company with the highest share price and projected dividend being declared the winner!
Game Overview – “Play Space”
The play space of the game is based around a game board, role cards, security activity cards (with associated costs and time), video feeds, newspaper ‘cuttings’, a tablet player interface and an overall leader board. All of the components of the play space interact, using a mix of soft and hard (physical) game play elements.
The game board provides an illustration of a power plant to set the scene for the players, and to act as a focal point around which they can gather. It provides placeholders for any security activities that are purchased, to act as a quick reference for their increasing defensive capabilities.
The role cards are picked at random by the players, these describe their responsibilities within the organisation and their compensation packages.
There are 5 roles, each of which will have a different perspective on the situation given their position and responsibility. The roles are;
• Chief Executive Officer (CEO)
• Chief Operating Officer (COO)
• Compliance Director
• Plant Director
• Security Director
Videos and Press Cuttings
At the beginning of each round a video is played to the teams via their tablet interfaces. It presents a simulated news broadcast that explains the initial scenario that will subsequently develop as the game progresses. The videos are supplemented by newspaper cuttings that summarise the news broadcasts so that players can refer back to salient points.
Tablet Player Interface
The players within the teams interact with the game and leader board through the tablet player interface. In the example screenshot, a team purchases security cards.
The leader board displays the financial positions of each of the teams, providing a comparative evaluation of their performance at the end of each round.
The SCIPS game is designed to introduce and encourage critical thinking about the nature and timeliness of Cyber Security investment and to promote the view that it is a strategic issue for companies, highlighting the fact that investment during an attack is too late. Upcoming developments include the implementation of new scenarios; for example, an attack on a chemical engineering plant.
SCIPS has been developed by Allan Cook, a current PhD student in the Cyber Technology Institute at De Montfort University.
Cook et al, 2016. Using Gamification to Raise Awareness of Cyber Threats to Critical National Infrastructure. IN: Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research. Available at: http://ewic.bcs.org/upload/pdf/ewic_icscsr2016_paper10.pdf