Cybersecurity is never far from the headlines. From high-profile data breaches to ransomware attacks bringing global systems to their knees, it often feels like we’re constantly on the back foot. Despite massive investments in tools, frameworks, and compliance regimes, the industry continues to struggle with the same root issue: culture.
At CyberSec Games, we believe it's time to talk seriously, and creatively about the human side of cybersecurity. Our company exists because we’ve seen first-hand that traditional training approaches don’t go far enough. They tick boxes. They satisfy auditors. But they rarely inspire real engagement, lasting change, or the kind of shared responsibility that a strong security culture depends on.
What we need isn’t more reminders to update passwords. What we need is a mindset shift.
Why Games Work
Games are not a gimmick. They’re one of the oldest and most powerful tools for learning, collaboration, and cultural change. Physical games, in particular, offer something that e-learning modules and slide decks simply can’t: a chance for people to engage meaningfully, emotionally, and socially with security concepts.
Threat modelling games like Elevation of Privilege (EoP) demonstrate this beautifully. Widely used across the industry, EoP has spawned multiple adaptations, from cloud and mobile to AI and machine learning, created by experts who recognise how effective games are at getting engineers to think differently.
Why? Because these games mirror how engineers think. Developers are driven to make things work. But finding vulnerabilities before they happen means switching perspective, looking at a system critically, not just functionally. Our threat modeling games prompt developers with security scenarios rooted in real-world research, helping them consider edge cases and think broadly, not just deeply.
And there’s more. Games provide a platform where product managers, junior engineers, and security experts can all contribute equally. They foster honest conversations in a structured way, creating incentives to speak up and making it easier for diverse teams to combine insights. They create a flow state: balancing challenge and comfort, allowing people to stretch themselves without fear of judgement.
The Value of Being in the Same Room
Physical games also offer something that purely digital interactions often lack: real human connection. When people gather around a table, they’re not just sharing ideas, they’re sharing space, glances, reactions, jokes. That presence helps build trust and empathy, both of which are critical for effective security collaboration.
Playing a game in person slows us down just enough to be thoughtful, while speeding up our ability to engage. There’s laughter, the shuffle of cards, the spontaneity of a well-timed comment. These moments humanise the process and often yield insights that would never surface in a PowerPoint presentation or a policy document.
Moreover, physical resources such as printed cards, tokens, or boards create a shared visual language. They externalise complex systems and give everyone something to point to, rearrange, and discuss. That’s invaluable when trying to unpick tangled systems or model threats in unfamiliar codebases.
Serious Outcomes from Serious Games
Games like those used for threat modelling or cyber awareness aren't just icebreakers or one-off workshops. They often produce real, actionable outcomes. A session might end with a clearer threat model, a prioritised list of risks, or a newfound awareness of security responsibilities within a team.
These are part of a broader movement known as serious games, games designed with a defined educational or problem-solving purpose. Whether helping teams map out vulnerabilities or encouraging cross-functional dialogue, serious games offer a structured yet playful context for critical thinking.
And the benefits don’t stop at understanding. They can help change behaviours, inspire better communication, and make security more accessible to everyone in the organisation.
Making Time to Play
In the rush of day-to-day work, it can feel indulgent to set aside time to play a game. But if the goal is to improve security outcomes, build better communication, and generate richer insights, then perhaps we should see it as an investment, one that delivers results you can’t get through meetings and memos alone.
In the end, physical games bring people together. They encourage us to think out loud, to test assumptions, and to learn from each other. In a field as collaborative and nuanced as cybersecurity, that’s not just helpful, it’s essential.
