Free Cyber Security Games
How To Play
Game Background
You’ve just been hired as the Security Architect for a fast-growing law firm, globally recognized as the go-to for some of the world’s biggest and most sensitive legal cases.
Their meteoric rise has catapulted them into the spotlight—but while the headlines got bigger, their security posture stayed the same. Behind the scenes, their defenses are outdated, fragmented, and dangerously unprepared for the level of threat they now face. Now, they’re a prime target for nation-state actors and elite cybercrime syndicates. Attacks are relentless. Resources are limited. And you’ve got just 24 months to turn things around. One wrong move could mean front-page headlines, massive financial losses, and careers destroyed.
Objectives
Your primary objective is to survive all 24 months without your organization being compromised by a cyber attack. If a cyber attack is successful, you immediately lose the game. At the end of the 24 months, you win the game.
Additionally, there are several secondary objectives that are used to calculate a unique score at the end of your game. These secondary objectives are derived from the real-world need to create a security program that not only secures an organization but does so in a cost-effective and minimally invasive way. Accordingly, unspent credits, employee productivity, and security posture are used to calculate the ending game score.
Game Metrics
- Security Budget: Represented as an allotment of credits. Credits are used when attempting to implement or deploy certain actions. The starting value is 100/100.
- Productivity: Represented as a 0-100 score and is used to determine how invasive a security program is in terms of reducing or increasing the productivity of employees in an organization. The starting value is 75/100.
- Security Posture: Represented as a 0-100 score and is used to determine how effective a security program is in terms of mitigating cyber security threats across an organization. The starting value is 0/100.
- Month: Represented as a 1-24 value and is used to represent what month the game is currently on. The starting value is 1/24.
Turn Order
The Security Architect is a turn-based game where months represent turns. Each month, a series of events take place, which are processed in the following order:
- Action Submission Phase: The action submission phase is at the start of the month. During this phase, players can plan and choose their next action. Once an action is submitted, the turn begins.
- Action Processing Phase: If an action is due to be completed, it is processed immediately after the month starts.
- Attack Processing Phase: ttack is due to take place, it occurs immediately after the action processing phase.
- Game Change Phase: If there is a change in game state, such as a game win, game loss, or annual budget refresh, it occurs after the attack processing phase.
Example: Let's say you are on Month 3. You submit an action that will take 2 months to complete (e.g., Deploying SSO), and an attack is due to take place in Month 4. In this scenario, events will be processed in the following order:
- Month 3: Starts
-
- Action Submission Phase: You submit the action to deploy SSO.
- Action Processing Phase: SSO deployment action was processed but not completed (Month 1/2).
- Attack Processing Phase: No attack processed.
- Game Change Phase: No change in game state.
- Month 3: Ends
- Month 4: Starts
-
- Action Submission Phase: Skipped as SSO deployment is still in progress.
- Action Processing Phase: SSO deployment action processed and completed (Month 2/2).
- Attack Processing Phase: Attack processed and successfully evaded.
- Game Change Phase: No change in game state.
- Month 4: Ends
Budget Refresh
At the start of month 13, your annual security budget is refreshed. Make sure to spend as much of your security budget as possible before this refresh; if you don't use it, you lose it!
By default, your budget will refresh back to 100 credits. However, two criteria can influence whether you are given more or less than this baseline:
- Employee Productivity: The starting employee productivity is 75/100. Any increases or decreases have a 1 to 1 effect on the security budget. For example, if productivity decreases by 5, then the budget is decreased by 5 credits.
- ISO 27001 Certification: If an ISO 27001 certification is obtained prior to the start of month 13, the leadership team will provide you with a bonus of 70 credits.
Game Interface
Throughout the game, you’ll navigate between four main tabs to manage your defenses and respond to threats:
- Action Selection: Choose from 30 different security measures to implement. Actions are searchable and categorized into their respective control grouping (e.g., Identity Security, Human Security, etc.). Hover over each action to view a tooltip showing its financial cost, impact on security posture and productivity, and time to deploy.
- Deployed Controls: Displays all actions you’ve implemented so far, allowing you to keep track of your current defenses and any prerequisites you've already fulfilled.
- Incident Log: Shows a history of past attacks, including which months the attacks took place, whether the attack succeeded, and what the attack attempted to exploit.
- Threat Intelligence: Reveals upcoming attacks and suggests which actions you should implement to mitigate them. Use this to plan ahead and prevent breaches before they happen.
More Information
Are you after a full list of security actions or cyber attacks, or have some questions? Check out our knowledge base article.