"This blogpost is 1 of 4 blogposts created during my fellowship at the Consortium of School Networks (CoSN). In addition to these blogposts, I created a report identifying five actions a school system IT staff can take to better defend IT infrastructure. It is focused on low-cost solutions for districts with minimal resources. That report can be accessed here."
For those who are not familiar, Dungeons and Dragons (D&D) is a tabletop role-playing game (RPG) that has been around for over 40 years. In D&D, players take on the role of fictional characters in a fantasy world and use their imagination and problem-solving skills to navigate through various challenges.
While D&D may seem like child's play, there is actually a lot that can be learned from playing the game, especially when it comes to incident response planning. Tabletop RPGs can be used to facilitate incident response planning exercises and help prepare IT staff for real-world cybersecurity threats.
Amy McLaughlin, CoSN Cybersecurity SME, CISSP and experienced RPG gamer avidly incorporates these games with IT experts, stating that her approach to cybersecurity "The approach I use to running table-top cybersecurity incident response scenarios is heavily based on my experience running and playing in RPGs such as D&D, Cyberpunk, and others. RPG adventuring parties require teamwork, communications, and specialized skill sets to respond to and resolve challenges and address adversaries in the game setting. These are the same collaborative team work approaches needed to successfully navigate incident response."
With the increasing number of cyberattacks and data breaches, it is more important than ever for organizations to have a robust incident response plan in place. An incident response plan is a set of procedures that an organization follows when responding to a security incident. Establishing an incident response plan is similar to creating a game plan for a tabletop RPG. Just as a party of adventurers needs to have a plan for how they are going to defeat the dragon, an organization needs to have a plan for how they are going to respond to a security incident.
Tabletop RPGs can be valuable for incident response planning for a number of reasons. One of the biggest benefits is that they can help to create a common language and understanding among the incident response team. In a tabletop RPG, each player has a specific role to play and there is a clear division of labor. This is similar to an incident response team, where each member has a specific role to play in the response.
By playing a tabletop RPG, incident response team members can get a better understanding of the roles and responsibilities of each team member. This can be especially helpful in a large organization where the incident response team is spread out across different departments. McLaughlin elaborates that the RPG approach allows IT teams the opportunity to take on and practice roles they don't engage in. “For example, the primary information security team member may not always be available to lead response to an incident. Having other team members take the lead role in an incident response tabletop builds skills and experience being in this role."
There are a number of ways that tabletop RPGs can be used to facilitate incident response planning. One way is to use the game to create a mock incident. This can be done by creating a scenario based on a real-world incident or by coming up with a fictional incident. Mock incidents can be used to test an organization's incident response plan and procedures. They can also be used to identify gaps in the plan or areas where the procedures need to be improved.
Another way to use tabletop RPGs for incident response planning is to use them as a training tool. There are a number of incident response-themed RPGs that have been created specifically for this purpose. These games can be used to teach incident response team members how to identify and respond to different types of incidents.
There are a number of benefits to using tabletop RPGs for incident response planning. One of the biggest benefits is that they can help to bring a serious issue to a more approachable level. By using a game to simulate a real-world incident, incident response team members can get a better understanding of what they need to do without having to experience a real incident. This can be especially helpful for higher-level supervisors who may not be as familiar with incident response procedures.
Another benefit of using tabletop RPGs for incident response planning is that they can help to build teamwork and communication skills. This is because incident response team members need to work together to solve the problem.
Tabletop RPGs can be a valuable tool for incident response planning. They can help to create a common language and understanding among the incident response team, build teamwork and communication skills, and bring a serious issue to a more approachable level. Any team looking for ideas for incident response tabletop exercises can look to CoSN's online Cybersecurity Leadership Game launched in March 2022. The game contains many incident response scenarios that can be used in planning a tabletop event.