Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Security Lessons from My Game Closet

In an era of popular video games like Fortnite and Minecraft, there is a lot to be learned about risk, luck, and strategy from some old-fashioned board games.

I was recently looking over my collection of board games. As my eyes moved from game to game, I thought about the strategy and approach with which I play them. But, then, an entirely different set of thoughts went through my head. I started to think about the security lessons each game can teach us, and in this piece, I'd like to share those valuable lessons with you. What can old-fashioned board games teach us about security? More than you think.

Risk: Where You Start from Matters
If you've ever played Risk, you know that starting in Australia gives any player a unique advantage. Since attacks can only come from one direction, there is only one direction to defend. This allows the player to focus on advancing more quickly. Likewise, in real life, reducing the attack surface gives security organizations a distinct advantage. If there is less risk exposure to defend, the security organization can focus its efforts on improving and maturing its capabilities, thus defending the enterprise more effectively.

Risk also teaches us about strategic distribution of resources. That means to avoid concentrating all of your resources in one area, and to be careful not to spread your resources too thinly. This is an important lesson in security as well. Determining the right mix of resources dedicated to a specific area is a key part of properly reducing risk and defending an enterprise.

Monopoly: Knowing When to Capitalize on Luck
While there is some skill involved in the game of Monopoly, there is also quite a bit of luck. A good Monopoly player knows how to turn a stroke of good luck into a strategic advantage. A good security team should understand how to do the same. On the other hand, it's important for security teams to know how to account for bad luck: We all encounter bad luck from time to time. The question isn't whether or not misfortune comes our way but, rather, what we do with it. In Monopoly, knowing how to account for bad luck and play through it is an important part of playing the game successfully. 

The same holds for security. For example, when staring at a stack of Monopoly money, it can be tempting to buy up everything in sight. The problem with this approach is that it can leave a player overextended and unable to pay expenses that may arise as the game unfolds. In security, it's important to reserve resources for events and incidents that may arise over time rather than overextending and being left without any means with which to handle bumps in the road.

Clue: If It Isn't Written Down, It Didn't Happen
I once worked with someone who enjoyed repeating the mantra, "if it isn't written down, it didn't happen." In the game of Clue, it's important to document each piece of relevant information to ensure that it isn't forgotten and that it can be leveraged later, as necessary. The same is true in a successful security program. Whether you are talking about security operations, incident response, engineering, compliance, risk management, or any other aspect of security, you must ensure that each relevant detail is properly described.

It's also critical that you understanding the impact of each piece of information. When confronted with information, what possibilities does it eliminate? What possibilities does it allow? As with Clue players, successful security teams understand how to map each relevant piece of information to the impact it has on the organization. This allows the team to continue to react, adapt, and improve as additional information comes to light, which is an important component of a mature security team.

Life: Every Security Program Is at a Different Stage
In the game of Life, different life events happen at different times. An event that may be welcome and joyful in one stage of life may be less so at a different stage. The same is true in security. Security teams vary in their capabilities and maturity. What may be a sensible undertaking for one organization may be either overwhelming or woefully inadequate for another. It's important to understand where your organization stands in order to properly recognize which efforts are right and appropriate.

The path through development and maturity needs to be planned out. A victory in the game of Life does involve some luck, but it also involves some skill and a strategically planned trajectory. In security, it's important to strategically plan the improvement, growth, and maturing of your company's security capability. Further, this strategic plan needs to be executed well at each different phase. This is easier said than done, of course, though example after example shows that haphazardly managing the evolution of a security program yields inferior results.

Checkers: The Pieces in Motion Matter
The pieces you move around a checkerboard, and the order in which you move them, directly affects the outcome of the game. The same holds true in security. A successful security program has many moving parts. Knowing which parts to move, at what time, and in what order is a challenge. Start by prioritizing resources to protect the crown jewels. No checkerboard allows for unlimited playing pieces. Knowing how to prioritize limited resources to protect the king is also an important skill for resource-constrained security teams. Every enterprise has crown jewels that need protecting, and resources need to be prioritized accordingly.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/12/2019 | 2:17:44 AM
Keep things separate
I would not have thought so deeply into simple games like this man. I mean it's supposed to be for enjoyment and the competitive edge on it is of course a big part of the game experience, but I think that we need to be objective in segregating what and how each things works in the end..
User Rank: Ninja
3/25/2019 | 8:53:47 AM
Good points all
But you missed THE GAME of them all - Chess of course.  Looking 5 moves ahead is always hard and a logic challenge.  Not all are good at it and I have learned only to play with humans.  IF you play online, it works with humans but NOT with a computer.  THEY can out-think anything and that works for AI intelligence too.  Computers can analyze 5 steps or more in advance and quickly too while we humans ponder and think.  While good, we also make mistakes.   (I made a dandy one this morning on Monday to start the day off with a horror).   Second, you play to block in the power players or avoid the QUEEN who can kill everything at will.   (Power of women, thank you!)   Third, the King (read that C-Suite) can do almost nothing save move 1 square at a time.  (Also Board of directors).    Now onward to ZORK and DOOM!!!

On DOOM- at a MicroAge dealership we often had children playing that and good life lesson - RUN AWAY FROM THE MONSTER.  And use the BFG9000 to solve all problems.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...