Board Games as a Behavioural Collection Method
conference contributionposted on 2020-11-27, 12:18 authored by Tatjana Sidorenko
Traditionally, games have been viewed as a form of entertainment. Yet, given how engaging games can be their effects can be beneficial in many domains. This paper explores the use of games as a methodology of exploring the decision-making processes demonstrated by a group of information security specialists when role-playing as malicious actors.
To achieve this a board game has been designed which enables players to impersonate different types of attackers each with different motivations and goals. Each player is given a set of tools, techniques and procedures (TTPs) in form of cards and a set of end goals which need to be achieved in order to ‘win’ the game. By interacting with the facilitator, who is also representing the defending organisation or location, they voice out their intended actions and decisions and play a TTP card of their choice.
By adopting a persona in an engaging fictional setting players are freed from concerns associated with self-image maintenance and concerns about reputational damage and ultimately, are better able to construct creative and malicious attacks. The game methodology also provides a less limited framework for the data gathering, and with suitable facilitation allows the capture of a very diverse set of attacks.
By using this methodology, it is possible to gather a more diverse set of both decision-making behaviour and attacks, improving our understanding of offensive actors. This understanding will then be used to influence the creation of an agent-based simulation of these actors and scenarios.