Hans Metsoja
Currently information security manager at Opera browser company.
Previously various roles in MS/Skype, Telco, software development. Usually does random things what are needed so never have I had a clear role definition.
Session
Not sure how exactly to write that CFP so its free form. I can clarify all topics.
Title: Why playing board games and D&D in cyber security is actually useful?
ALT title: Why playing board games and Dungeons & Dragons at work is useful?
Abstract:
I had a tiny bit of experience playing tabletop security games, as well as being an organizing team. But never alone, nor am I an expert in game theory. I just like DnD and RPG-s and I work in cyber security.
When I reworked the incident response process in Opera and there was a need for training, I decided to do it in the form of tabletop exercises using pen and paper and fake scenarios.
In total I held 8 tabletop games (Half a day each) in 4 different offices, total participants ~100. 3 different main scenarios and some variations.
My talk would be about (general + personal experience)
Different levels of security training and their usefulness. And why do we train at all?
* Why tabletop/gamification
* My personal learnings and failures in designing such games, eventually what worked and what A/B testing I used. If you want to run your own games alone.
* Company (player) failures.
* Actual examples of failures (no names disclosed), illustrating
*** Why such games are needed
*** What they teach to us
*** How we still make so obvious mistakes
*** What people tended to fail in specifically (And what did each specific failure illustrate)
***What were people's feedback to such training (maybe, there were few interesting findings)
*Key points I would recommend anyone to consider while designing a game / scenario
I have permission from my employer to do the talk, talk about examples etc.
However they have asked not to record and publish this later. Only at a conference.