In the world of cybersecurity, where complexity reigns and communication can often break down across silos, it might seem surprising to suggest that a card game could help. But more and more professionals are discovering that physical games aren't just entertaining, they're powerful tools for solving real-world security challenges.
One of the most compelling voices in this space is Adam Shostack, who famously developed the Elevation of Privilege threat modelling game. Speaking at AppSec California few years ago, he shared his belief that games are particularly good for security because they invite participation, foster collaboration, and offer a structured, low-pressure space for thinking differently.
Why Games Work
Games are attractive and intriguing. A simple deck of cards laid out on the table immediately draws people in. It sparks curiosity. It lowers defences. For busy developers, overwhelmed operations teams, or reluctant participants, this is no small feat. A physical game can turn a dry topic into something tactile and engaging.
More than just a gimmick, games create flow, a state of focused engagement where people lose track of time and immerse themselves in solving problems. They also demand gentle participation. When you're holding a hand of cards, you can't just sit out the conversation. You’re invited in, not coerced. It’s subtle, but powerful.
Importantly, the act of playing also provides permission to behave differently. Games break the rigid structures of hierarchy. A junior engineer might hesitate to challenge a senior colleague in a formal meeting. But when that same idea is wrapped in a card, it can be introduced playfully and safely. It creates a different context, a psychologically safer one.
The Value of Being in the Same Room
Physical games also offer something that purely digital interactions often lack: real human connection. When people gather around a table, they’re not just sharing ideas, they’re sharing space, glances, reactions, jokes. That presence helps build trust and empathy, both of which are critical for effective security collaboration.
Playing a game in person slows us down just enough to be thoughtful, while speeding up our ability to engage. There’s laughter, the shuffle of cards, the spontaneity of a well-timed comment. These moments humanise the process and often yield insights that would never surface in a PowerPoint presentation or a policy document.
Moreover, physical resources such as printed cards, tokens, or boards create a shared visual language. They externalise complex systems and give everyone something to point to, rearrange, and discuss. That’s invaluable when trying to unpick tangled systems or model threats in unfamiliar codebases.
Serious Outcomes from Serious Games
Games like those used for threat modelling or cyber awareness aren't just icebreakers or one-off workshops. They often produce real, actionable outcomes. A session might end with a clearer threat model, a prioritised list of risks, or a newfound awareness of security responsibilities within a team.
These are part of a broader movement known as serious games, games designed with a defined educational or problem-solving purpose. Whether helping teams map out vulnerabilities or encouraging cross-functional dialogue, serious games offer a structured yet playful context for critical thinking.
And the benefits don’t stop at understanding. They can help change behaviours, inspire better communication, and make security more accessible to everyone in the organisation.
Making Time to Play
In the rush of day-to-day work, it can feel indulgent to set aside time to play a game. But if the goal is to improve security outcomes, build better communication, and generate richer insights, then perhaps we should see it as an investment, one that delivers results you can’t get through meetings and memos alone.
In the end, physical games bring people together. They encourage us to think out loud, to test assumptions, and to learn from each other. In a field as collaborative and nuanced as cybersecurity, that’s not just helpful, it’s essential.
