Decisions & Disruptions is a tabletop/role-playing game about security in industrial control systems. D-D players are challenged with managing the security of a small utility company: they are given a budget that they can spend among a range of different defensive options.
Decisions have to be made, taking into account a number of potential threats, known vulnerabilities of the infrastructure, past and ongoing cyber attacks, and of course budget limitations.
The game is best played with 5-8 players plus a Game Master who directs the players, enforces rules and provides the game’s narrative.
Build your own kit and feel free to get in touch if you would like any help running sessions or training game masters.
The game is now being developed by The University of Bristol Cyber Security Group as part of the Research Institute on Trustworthy Inter-Connected Cyber-Physical Systems (RITICS).
The University of Bristol Cyber Security Group is part of the Academic Centre of Excellence in Cyber Security Research (ACE-CSR) at Bristol. The group’s research focuses on three over-arching but interlinked strands: security of cyber-physical infrastructures, software security and human behaviours.
The Group participates in several major initiatives, including leading projects as part of the Research Institute on Science of Cyber Security (RISCS) and the Research Institute on Trustworthy Cyber-Physical Systems (RITICS), co-leading the Security and Safety stream within the UK Research Hub on Cyber Security of Internet of Things and leading the programme of work on developing a Cyber Security Body of Knowledge (CyBOK).
Meet the team
Dr Ben Shreeve
Professor Awais Rashid
Build your own kit
For a D-D session the players need no preparation, and indeed, players should not read the content of this rulebook!
Partial information and the element of surprise are key elements of D-D. But if you, the reader, want to be a Game Master, then download and read the rulebook: this is the reference manual that will guide you through the process of mastering D-D sessions.
Building your own kit:
Bricklink model - buy all the lego parts you need for one kit †
Visit our github page to download the following:
Rule book for v1 - The master guide
Gameplay cards - Print off the cards to accompany the lego and get going!
We also have the following beta components on our github page that you may find useful:
D-D Cheatsheet for game masters
D-D Scoring web-interface for v1‡
The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game. S. Frey, A. Rashid, P. Anthonysamy, M. Pinto-Albuquerque and S. A. Naqvi. IEEE Transactions on Software Engineering, vol. 45, no. 5, pp. 521-536, 1 May 2019 https://ieeexplore.ieee.org/document/8194898
The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game. S. Frey, A. Rashid, P. Anthonysamy, M. Pinto-Albuquerque and S. A. Naqvi. ICSE 2018 Proceedings of the 40th International Conference on Software Engineering. https://dl.acm.org/citation.cfm?doid=3180155.3182549
SOUPS Distinguished Poster Winner: Cyber Security Awareness via Gamification: Lessons Learned From Decisions & Disruptions. Shreeve, B. Hallett, J. Atkins, R and Rashid, A. Poster at the Symposium on Usable Privacy and Security. https://www.usenix.org/conference/soups2019/poster-session
“So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making. B. Shreeve, J. Hallett, M. Edwards, P. Anthonysamy, S. Frey, and A. Rashid. 2020. ACM Trans. Priv. Secur. 24, 1, Article 5 (January 2021), 29 pages. https://doi.org/10.1145/3419101
The best laid plans or lack thereof: Security decision-making of different stakeholder groups. B. Shreeve, J. Hallett, K. M. Ramokapane, R. Atkins and A. Rashid. IEEE Transactions on Software Engineering, vol. , no. 01, pp. 1-1, 5555. https://doi.ieeecomputersociety.org/10.1109/TSE.2020.3023735
The best laid plans or lack thereof: Security decision-making of different stakeholder groups. B. Shreeve, J. Hallett, K. M. Ramokapane, R. Atkins and A. Rashid. Presented at International Conference on Software Engineering 2021 Journal-First Track.