Winter is Coming!

PricewaterhouseCoopers GmbH (PwC) asked visitors to AFCEA 2019 in Bonn this week “Are you ready for the cyber threat?” It then invited them to play Game of Threats, a simulation designed to provide corporate management with an in-depth understanding of the process and dynamics of potential cyber attacks.

The game picks up on elements of ‘gamification’ and game theory – and creates a new kind of interactive experience for the user. Specifically, Game of Threats is about the ‘Team Enterprise’ having to defend its own company against the ‘Team Attack.’ The game mutates into a real experience, in which both sides are required to make existential decisions in the shortest time possible – and this on the basis of limited information and limited financial resources. Players are rewarded for good decisions, punished for bad ones.

The format is an interactive virtual card game, in which the actor can choose his or her next step, or can hire new specialists: for example, for the attack team, Compromise, Attack or Breach specialists are available. Each game is played by two teams, each of four to six players, for a maximum of 12 rounds. In the end, ‘social engineering’ appears to be the key to success for the attacking team.

A company’s managers are split into both teams in Game of Threats. This forces them to deal not only with their own perspective, but also with that of the attacker. While one team plans the next attack, the other must develop an appropriate defense. PwC moderators provide players with constant feedback on whether their decisions are heading in the right direction – and what alternative strategies might be considered. In the end, Game of Threats gives management a better understanding of how to deal with the cyber threat.

What managers learn through Game of Threats:

• Is my company even prepared for cyberattacks?
• What are the potential consequences of a digital attack on my company?
• Are we in a position to develop a suitable defence strategy before happens and is too late?
• What do the attackers think, what are their goals?
• What trends in cyber security do I have to know?

The simulation is normally run at the client’s office over a two to four hour period. PcW conducts an after-action review  after each stage, showing the relevant advantages and disadvantages. According to PcW, the learning process is very fast, and in the short to medium term, users will understand and appreciate it. This leads to a willingness by CEOs and CFOs to introduce and budget for appropriate measures. The simulation is conducted in combination with awareness measures, which are role-based and customised.

Next steps normally include a target-oriented workshop with a capability gap assessment, involving an interaction with an impact analysis, part of which is to answer the question “What do we need to counter the cyber threat?”  These workshops typically take three to five days.

Winter is coming. Are you ready?

André Forkert