I’m at an EU Cybercrime Summit today and yesterday. This may not sound very exciting, and, maybe considering this, the organisers arranged a game for us to play yesterday. It was a simulation of a couple of different, but connected scenarios, and there was a web interface via which we could all interact with the engine.
The first scenario revolved around managing an attack on a piece of critical national infrastructure: we were acting as the CISO, and trying to work out our best course of action in terms of managing responses and communicating with various external agencies. The second scenario had us as the head of a national cybersecurity agency, watching and trying to manage an emerging set of issues, including a Meltdown/Spectre-type vulnerability and various piggy-backed attacks.
At each stage, there was some explanation, and then a serious of options for us to choose, along with a countdown, adding an element of tension to the process as we had to submit our answers[1]. Sometimes we had to choose a single option – “How serious is this issue? Not an issue; minor; substantial; significant; major; national crisis; international crisis” – and sometimes we could choose two or more – “Who will you inform about this? Internal only; trusted parties; national cybersecurity bodies; national intelligence; international parties.” We were encouraged to discuss our choices with our neighbours before we made them, and once all the answers were in, bar charts were displayed on the screen in front of us (and on our devices) showing how everbody had voted.
At the beginning of the process, we had been asked to enter some basic information about ourselves such as sector (public, industry, academic, etc.) and expertise (security, policy, justice, etc.), and for some of the bar charts, a further breakdown as given, showing how the sector and expertise voting had gone. Experts at the front gave their opinions of the “correct” answers, and reactions as to how people had voted.
I’d not participated in a game/simulation like this before, and had no idea either how it would go, nor how beneficial it might be. To my surprise, I enjoyed it and found it both interesting and educational. The scenarios were broad enough that they were unlikely to be many people in the room who had expertise across all of the different issues, I enjoyed discussing my thoughts with a neighbour who I’d only met earlier that day, and then discussing with him whether we agreed with the experts’ views.
In short, it was a very useful exercise, and I’m wondering how I could apply it to my work in different contexts. It was educational, fun, provided opportunities for forming relationships – we found ourselves discussing scenarios and issues with others around us – and allows for further analysis after the evene.t
1 – I’m not often one to link to external products, but this one seemed good, and has a free pricing tier: it was called Mentimeter. The game was run by AIT (Austrian Institute of Technology), Center for Digital Safety & Security.
Alice, Eve and Bob - a security blog 