Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Security Lessons from My Game Closet

In an era of popular video games like Fortnite and Minecraft, there is a lot to be learned about risk, luck, and strategy from some old-fashioned board games.

I was recently looking over my collection of board games. As my eyes moved from game to game, I thought about the strategy and approach with which I play them. But, then, an entirely different set of thoughts went through my head. I started to think about the security lessons each game can teach us, and in this piece, I'd like to share those valuable lessons with you. What can old-fashioned board games teach us about security? More than you think.

Risk: Where You Start from Matters
If you've ever played Risk, you know that starting in Australia gives any player a unique advantage. Since attacks can only come from one direction, there is only one direction to defend. This allows the player to focus on advancing more quickly. Likewise, in real life, reducing the attack surface gives security organizations a distinct advantage. If there is less risk exposure to defend, the security organization can focus its efforts on improving and maturing its capabilities, thus defending the enterprise more effectively.

Risk also teaches us about strategic distribution of resources. That means to avoid concentrating all of your resources in one area, and to be careful not to spread your resources too thinly. This is an important lesson in security as well. Determining the right mix of resources dedicated to a specific area is a key part of properly reducing risk and defending an enterprise.

Monopoly: Knowing When to Capitalize on Luck
While there is some skill involved in the game of Monopoly, there is also quite a bit of luck. A good Monopoly player knows how to turn a stroke of good luck into a strategic advantage. A good security team should understand how to do the same. On the other hand, it's important for security teams to know how to account for bad luck: We all encounter bad luck from time to time. The question isn't whether or not misfortune comes our way but, rather, what we do with it. In Monopoly, knowing how to account for bad luck and play through it is an important part of playing the game successfully. 

The same holds for security. For example, when staring at a stack of Monopoly money, it can be tempting to buy up everything in sight. The problem with this approach is that it can leave a player overextended and unable to pay expenses that may arise as the game unfolds. In security, it's important to reserve resources for events and incidents that may arise over time rather than overextending and being left without any means with which to handle bumps in the road.

Clue: If It Isn't Written Down, It Didn't Happen
I once worked with someone who enjoyed repeating the mantra, "if it isn't written down, it didn't happen." In the game of Clue, it's important to document each piece of relevant information to ensure that it isn't forgotten and that it can be leveraged later, as necessary. The same is true in a successful security program. Whether you are talking about security operations, incident response, engineering, compliance, risk management, or any other aspect of security, you must ensure that each relevant detail is properly described.

It's also critical that you understanding the impact of each piece of information. When confronted with information, what possibilities does it eliminate? What possibilities does it allow? As with Clue players, successful security teams understand how to map each relevant piece of information to the impact it has on the organization. This allows the team to continue to react, adapt, and improve as additional information comes to light, which is an important component of a mature security team.

Life: Every Security Program Is at a Different Stage
In the game of Life, different life events happen at different times. An event that may be welcome and joyful in one stage of life may be less so at a different stage. The same is true in security. Security teams vary in their capabilities and maturity. What may be a sensible undertaking for one organization may be either overwhelming or woefully inadequate for another. It's important to understand where your organization stands in order to properly recognize which efforts are right and appropriate.

The path through development and maturity needs to be planned out. A victory in the game of Life does involve some luck, but it also involves some skill and a strategically planned trajectory. In security, it's important to strategically plan the improvement, growth, and maturing of your company's security capability. Further, this strategic plan needs to be executed well at each different phase. This is easier said than done, of course, though example after example shows that haphazardly managing the evolution of a security program yields inferior results.

Checkers: The Pieces in Motion Matter
The pieces you move around a checkerboard, and the order in which you move them, directly affects the outcome of the game. The same holds true in security. A successful security program has many moving parts. Knowing which parts to move, at what time, and in what order is a challenge. Start by prioritizing resources to protect the crown jewels. No checkerboard allows for unlimited playing pieces. Knowing how to prioritize limited resources to protect the king is also an important skill for resource-constrained security teams. Every enterprise has crown jewels that need protecting, and resources need to be prioritized accordingly.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/12/2019 | 2:17:44 AM
Keep things separate
I would not have thought so deeply into simple games like this man. I mean it's supposed to be for enjoyment and the competitive edge on it is of course a big part of the game experience, but I think that we need to be objective in segregating what and how each things works in the end..
User Rank: Ninja
3/25/2019 | 8:53:47 AM
Good points all
But you missed THE GAME of them all - Chess of course.  Looking 5 moves ahead is always hard and a logic challenge.  Not all are good at it and I have learned only to play with humans.  IF you play online, it works with humans but NOT with a computer.  THEY can out-think anything and that works for AI intelligence too.  Computers can analyze 5 steps or more in advance and quickly too while we humans ponder and think.  While good, we also make mistakes.   (I made a dandy one this morning on Monday to start the day off with a horror).   Second, you play to block in the power players or avoid the QUEEN who can kill everything at will.   (Power of women, thank you!)   Third, the King (read that C-Suite) can do almost nothing save move 1 square at a time.  (Also Board of directors).    Now onward to ZORK and DOOM!!!

On DOOM- at a MicroAge dealership we often had children playing that and good life lesson - RUN AWAY FROM THE MONSTER.  And use the BFG9000 to solve all problems.  
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.