26:22

Episode 07: Dungeons and Dragons for Business: How to Use Role-Play to Understand and Resolve Security Issues

March 09, 2022

It’s time to eradicate a deeply rooted belief that security-related issues are only solvable through serious and hard-to-understand courses and lessons. Instead, it’s time to bring play into the play.

Our host Chris Roberts has an exciting announcement in this episode of Dr. Dark Web. We’re launching a new segment – Dungeons and Dragons for Business. In this segment, we’re going to take a look at table top exercises, things that we can learn, things we can help others learn, discuss collaboration, cooperation, communication, and coordination, all while taking a few moments to walk you through some theoretical disasters (and some not so theoretical ones…).

Chris shares the impact role players can have on every department within an organization struggling with different security issues. He also breaks down the game, explaining the number of participants, their roles, and the game’s aims. 

Listen on SpotifyListen on Apple Podcasts

Podcast Insights 

🎙️ Who is it for?

Role-plays are not just for game enthusiasts; they are also critical for your tech and marketing department. Let’s not forget how beneficial they could be for management. The Dr. Dark Web crew is preparing a security-inspired game, and here’s what Chris says about who should consider taking part in such role-play. 

”It’s for the tech and the geek — no two ways about it. We’re having a little bit of fun on this one, but it’s also for leadership and management. It’s also for incident response handlers and for people inside companies. It’s also for MSPs and MSSPs. So, anybody that is likely to be going into a situation where they don’t fully understand that, especially in technology, you could argue this is for them because you’re going to learn awareness. You’re going to learn the very simple traits of asking another question. You’re going to look at what tools you have. You’re going to look at how you can use them and maybe collaborate and cooperate with somebody else [and] come up with something better.”

🎙️ How does it work?

Prior to joining the game, learn the rules. 

”If we have everybody on board, there’ll be three or four of us who are playing the game along with the special guests. So say somewhere between three and five of us who will be playing. One of us will be the dungeon master/mistress. […] The dungeon master/mistress role will be of that person who says, ‘Okay, you open the door, this is what happens. Or you decided to walk down the corridor, but you didn’t light the flashlight or the torch, or you forgot and that cost us a revealing spell. So three of you are now sitting at the bottom of a trapdoor. Or you walked into the darkroom, and somebody just got eaten. So what do you do?”’ 

🎙️ Why are we doing this?

As Chris explains, every participant will have a different character, and that’s because they all bring different skill sets to the table. 

”Some of us have experience in incident response. Some have got experience in how to build cloud servers or computer systems. Someone is new to this. So what can they do? How can they help? What can they learn? How do we want to bring them along? So there are all these kinds of conversations, and in Dungeons and Dragons, that’s represented by your skills.”

Episode Highlights

Role-Playing As a Critical Part of Training in Security Field 

The death by PowerPoint doesn’t work. It has never worked. I see so many people try to teach this stuff by getting a bunch of people in the class and going, ‘You’re going to sit here and listen to me for the next eight hours, and you get a break in four hours, time for lunch.’

[…] All of us like doing something different. We like role-playing and messing around. We’d like scenarios. I’ve got a pretty active imagination. And so, if you take that and build a scenario, it could be a real-life scenario. We’ve got to run through some real-life scenarios, but it’s also more collaborative. So we get away from just technology, and we talk about communication.

The Value Role-Plays Bring to the Management

”It opens their eyes; it gives them insight into how we think. Typically, when you go into an incident, there are a couple of you working, and one of you is dedicated to communications, ‘How did it happen? Why did it happen? When did it happen?’

Our job is to answer as many of their questions as we can. Our job is also to help clean up and to help them understand when they can get back to work again. And so the more that they are involved with the scenarios or tabletop exercises, the better equipped they are to come to the table in a collaborative, cooperative manner.”

It’s Better to Learn Through Role-Play than Real-Life Situations

”In our industry, more often than not, we’ve learned through trial and error, and we’ve learned because something happened, and we had to learn very rapidly. 

When you do something like a tabletop exercise, you get to make mistakes. And there are consequences. One of us is going to get chained to the side of a dragon. Somebody is going to become very crispy, and somebody is probably going to get eaten by the orcs. It happens. 

But you know what? None of us suffered. We didn’t lose the data center. The computers didn’t go. The bad guys didn’t get away with it. 

And, as long as we can negotiate effectively with the dungeon master, we managed to hit the reset button and go through it again.”