Decisions-Disruptions.org

The game

Decisions & Disruptions is a tabletop/role-playing game about security in industrial control systems. D-D players are challenged with managing the security of a small utility company: they are given a budget that they can spend among a range of different defensive options.

Decisions have to be made, taking into account a number of potential threats, known vulnerabilities of the infrastructure, past and ongoing cyber attacks, and of course budget limitations.

The game is best played with 5-8 players plus a Game Master who directs the players, enforces rules and provides the game’s narrative.


Build your own kit and feel free to get in touch if you would like any help running sessions or training game masters.

N.B., game is released under creative commons (non-commercial) CC-BY-NC
Decisions and Disruptions Lego Setup
Decisions and disruptions game cards

The game is now being developed by The University of Bristol Cyber Security Group as part of the Research Institute on Trustworthy Inter-Connected Cyber-Physical Systems (RITICS).

The University of Bristol Cyber Security Group is part of the Academic Centre of Excellence in Cyber Security Research (ACE-CSR) at Bristol. The group’s research focuses on three over-arching but interlinked strands: security of cyber-physical infrastructures, software security and human behaviours.

The Group participates in several major initiatives, including leading projects as part of the Research Institute on Science of Cyber Security (RISCS) and the Research Institute on Trustworthy Cyber-Physical Systems (RITICS), co-leading the Security and Safety stream within the UK Research Hub on Cyber Security of Internet of Things and leading the programme of work on developing a Cyber Security Body of Knowledge (CyBOK).


Meet the team

Dr Ben Shreeve


Professor Awais Rashid

Decisions and disruptions gameplay

Build your own kit

For a D-D session the players need no preparation, and indeed, players should not read the content of this rulebook!

Partial information and the element of surprise are key elements of D-D. But if you, the reader, want to be a Game Master, then download and read the rulebook: this is the reference manual that will guide you through the process of mastering D-D sessions.

Building your own kit:

Bricklink model - buy all the lego parts you need for one kit †

Visit our github page to download the following:

    • Rule book for v1 - The master guide

    • Gameplay cards - Print off the cards to accompany the lego and get going!

We also have the following beta components on our github page that you may find useful:

    • D-D Cheatsheet for game masters

    • D-D Scoring web-interface for v1‡


This service relies on a third party (bricklink) and as such access to parts may vary. This is a .zip file that contains a rudimentary website including javascript.SHA-256: 6803dc9c7f3bbf4efe8166769d509b584267a02f5907cf3084a5799298e217f8
Decisions and disruptions rulebook

Publications

  • The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game. S. Frey, A. Rashid, P. Anthonysamy, M. Pinto-Albuquerque and S. A. Naqvi. IEEE Transactions on Software Engineering, vol. 45, no. 5, pp. 521-536, 1 May 2019 https://ieeexplore.ieee.org/document/8194898

  • The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game. S. Frey, A. Rashid, P. Anthonysamy, M. Pinto-Albuquerque and S. A. Naqvi. ICSE 2018 Proceedings of the 40th International Conference on Software Engineering. https://dl.acm.org/citation.cfm?doid=3180155.3182549

  • SOUPS Distinguished Poster Winner: Cyber Security Awareness via Gamification: Lessons Learned From Decisions & Disruptions. Shreeve, B. Hallett, J. Atkins, R and Rashid, A. Poster at the Symposium on Usable Privacy and Security. https://www.usenix.org/conference/soups2019/poster-session

  • “So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making. B. Shreeve, J. Hallett, M. Edwards, P. Anthonysamy, S. Frey, and A. Rashid. 2020. ACM Trans. Priv. Secur. 24, 1, Article 5 (January 2021), 29 pages. https://doi.org/10.1145/3419101

  • The best laid plans or lack thereof: Security decision-making of different stakeholder groups. B. Shreeve, J. Hallett, K. M. Ramokapane, R. Atkins and A. Rashid. IEEE Transactions on Software Engineering, vol. , no. 01, pp. 1-1, 5555. https://doi.ieeecomputersociety.org/10.1109/TSE.2020.3023735

  • The best laid plans or lack thereof: Security decision-making of different stakeholder groups. B. Shreeve, J. Hallett, K. M. Ramokapane, R. Atkins and A. Rashid. Presented at International Conference on Software Engineering 2021 Journal-First Track.