Dungeons & Dragons: Game-Based Learning for Security Training

All right, good afternoon everybody. Welcome back to Bides on the ground floor. All right, so for our talks now we have Dungeons and Dragons, the security power tool you didn't know you needed by I'm so sorry, Klouse and Glenn. Yeah, >> right. And a few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Iikido, and our gold sponsors, Profit and Run Zero. It's their support along with other sponsors, donors, and volunteers that make this event possible. Now, these talks are being streamed live to YouTube. And as a courtesy to our speakers and the audience, we ask that you check to make sure that your cell phones are silent.

If there's still time after the talk is finished, there will be time for audience questions where I will pass the mic around for anybody who would like to ask. And as part of the cell phone policy for Bides Las Vegas, there is no photography allowed. And with that, I think we'll pass it off to our speakers. Give them a round of applause. [applause] >> Well, thanks and and welcome. Um, the f the first thing I want to say is that that there's no reason to take photos of any slides because the last slide will be a QR code to the to download the slides and I promise it's not yet. So, no, don't worry. I'm not going you're

not going to going to get hacked >> this time. >> This time. Yeah. >> All right. Who we Well, anybody who has black pads knows this problem because first of all, can't really take photos of so so you can see how damn cute they are. And if you do to have happen to take a photo, nobody can see how damn cute they are >> because yeah, little voids they they are there. It's not like I have a misshaped misshaped head head or anything. [laughter] >> But I live um with these two rascals and and also my wife in Copenhagen, Denmark. Uh I've been in security for 20 years. I'm um I've been an adviser internal

external consultant. Then I two years ago I became a freelancer. I wanted to do more fun stuff. I've always been into games and and thought that you know games and having fun and learning sort of had sort of got went together. So when the opportunity came to do something around this along with Glend and I jumped at it and uh of course then we are here to convince you to do the same. >> All right. And uh uh so this is me uh or AI me kind of. I don't actually have a beard like that. I do have cats like that though. Uh we have four cats. Uh my my wife and two children and I have four

cats which sometimes seems like 47 cats. Uh but they're good sports. Um I've been in the IT and security space on about 20 years depending on how much misspent youth you count in that too. Um I've held a number of roles in my career. Uh so seen a little bit of everything. um gotten gotten okay at a lot of things, maybe you know, master of none or few. Uh in my childhood, however, I spent a lot of time playing Dungeons and Dragons style games. And little did I know, um I would later have the chance to make that blend with my career a little bit. So, um so that's kind of why I'm here. >> Yeah.

Well, um, we'll be talking about what we see as a problem with traditional training and how and and then we'll talk a little talk a little bit about how the human brain is wired for games and and social learning. Uh, then we'll talk about, you know, how role playing itself creates an immersive engaging experience. And then we'll talk about hackback um hackback security train that doesn't suck. So, all right. But but first of all um you might have heard about gamification. You may not have heard about game based learning. They are two different things. Game based learning is when the game itself is the way to learning. And gamification is turning something that's not a learning experience into some kind

of I don't know competition. For instance >> gameish. >> Yeah. For for instance, who which team does the magnificently boring security training first gets cake? I'm from Denmark, so everything is done in cake, right? And that's not what we would not we're going not what we're going to talk about today. All right, we'll be talking about game based learning. So yeah, what's the problem with training? Well, there is a bunch of different uh different approaches to training. That's like class class based training, computer based training and but they are very f theoretical. It's a very intellectual way to learn and that's not what we need in instant response. We need >> people standing up like this talking to

you. >> Yeah, exactly. We need muscle memory, right? So we have tabletops in instant response and that should that should be it, right? But, you know, that's not really how it is because they're often really really dull. It's basically people standing sitting around the table talking about procedures and what have you and that's just not any fun. So, often times this is what people are forced to do. They do it because they have to. They can't wait to get out of there. They fight the scenario. they try to do everything they can to sabotage everything so it goes haywire, you know, all that stuff. We we don't need that. We need people to be honest.

We need them to be happy. We need them to to learn and have fun and all that stuff. So, um yeah. All right. Um tabletops. So, this is the idea that we're uh we're we're sitting down and we're talking through a scenario and things that might happen. Um, this is typically a uh a compliance checkbox. Um, it's it's done for a reason, but sometimes the the value in that can be lost. What we want to do with them is build muscle memory um on incident handling or uh or anything else you're doing a tabletop about. We just tend to gravitate towards incident response as the the main application for it. Um >> yeah yeah yeah it obvious it's better

when everybody know knows their role and it's a relatively cost effective way to train teams rather than putting it rather than setting everything on fire and then go >> and letting your lizard brain having to work with your lizard brain taken over. So >> yeah. >> Yeah. So yeah. Yeah. So we we do tabletop exercises and the goal is preparedness coordination stuff. So but you know what what's the problem with with how we do them? um traditional tabletop exercises and why they can sometimes suck. >> Um but but anyway, this that's our experience. We're not we're not saying that whatever tabletop you do will suck. We just say based on our experience, it probably does.

>> And [laughter] and and I I'm a tabletop exercise geek. I I I love them, including the traditional ones. Um, but I've I've I've heard so many stories about people saying, uh, this is this wasn't great. It was it was a checkbox. It was a a scripted thing that didn't necessarily represent reality. It didn't uh it didn't get to what we were trying to get to. It was um sterile and people were bored. So, >> yeah. So, so we see what what we see generally is people protecting their own turf. They're not being honest. They don't open up. We have egos clashing politics. >> Yeah. It it's even worse when there are more than one ego.

>> You have people that uh they're they're afraid to speak up in front of their boss that might be in the room or they're afraid to, you know, to look bad or look like they don't know something uh amongst their peers. Um it's the some of the posturing and you know some of the stuff that humans do. >> Yeah. And obviously there are people fighting the scenario. There is always that person >> that's impossible. That could never happen. Our EDR would have handled that. >> Yeah. And and there's always a guy [laughter] >> anyway. >> I mean the kind of the nature of an incident is your EDR didn't handle this, right? That it didn't just solve the

problem. Yeah. But when we realize the most important thing, the most the biggest problem we see with it is that there is no um there is no focus on engaging participants. Um I was at a seminar a couple of years ago where I talked to the people that arranged the the NATO exercise locked shields and I asked them, well, what do you do to engage people? And they literally looked at me as I just fell down from the moon. So they it's just not in their in their mindset at all. >> Engagement like what is that what is that thing? >> And obviously and obviously the most cardinal sin here is that there tends to

be this misunderstanding that is if something is fun it's not serious but that's in reality not how it works because training like this need to be fun. If it's not fun people don't engage and if they don't gauge >> there's this >> why even do it in the first place. the this perception in in business among some circles that like you can't have fun and learn at the same time when the opposite is true. >> Yeah. >> So so obviously the result of this is dull, no engagement, no learning, no freaking point. So >> you're not getting the value out of it. >> So is there another way? Well, funny you should ask [laughter] because obviously there is. So let's

talk about that for now and and how that works. Yeah, it turns out that when we that when we talk about game based learning and I talk to potential clients about this um it's it's not really that good an argument saying that it's fun that's why they should do it. So I I look I look to I look to science for authority. So I found that luckily science backs up what we what we have known all the time. So I found a few a few studies and a few analog quotes a few quotes. Most studies in the sample reported analog game-based learning as an effective pedi pedagogical tool with an impact on the learning cognitive and psychological

levels. So that's that's an article from from Frontiers in Psych in psychology. So well well that's that's good right in in general game based learning works. So but but what is it and how does it how exactly does it work? Um this is my favorite quote. You'll see why. Uh this this is about why why together why collaborative learning is a thing. So basically the quote is that I think we're all impressed by how stupid humans are. [laughter] It reaches almost every every proportions. We're stupid in dozens and dozens of way of ways. But human minds are plug-and-play devices. They're not meant to be used alone. So, um, they're meant to be used in networks. Games

allows us to do that. So, they allow us to use collective intelligence. So, collectively, we're not so stupid, at least in theory. Um, that's an article up summing some summing up a panel debate at Stanford. Um, and um, obviously there are many ways to implement game-based learning. We we chose the role playing kind. And uh luckily there are people researching into that as well which I think is enormously cool. Um so yeah again when Dungeons and Dragons and his cousin are played in an inviting, encouraging, compassionate and intellectually engaged environment play opens the door to truly amazing possibilities for learning. Um, but so the scientific uh begging does exist, but to be honest, we're geeks and that's not really we don't

really care about the science, right? So, we'll say any excuse to do Dungeons and Dragons in our grown-up jobs and >> have a good guessing you will you probably also will. So, thank you very much. [laughter] >> Um, so yeah. Um, role playing is immersive um, often in uh, some unexpected ways and it gives you a chance to play something outside of yourself. Meaning what [clears throat] you do in your day job doesn't necessarily have to be what you do in this game. Uh, you can play something that is outside of your normal role. you can learn things that you can approach things from a different perspective without having to be thrown into the you

know marketing manager's role um because nobody else can do that in the midst of an incident when your lizard brain is taken over and you are totally unprepared for doing anything like that. So um communication is uh is one of those pieces that uh that I like to uh point out to people especially tech teams uh tech focused individuals. There's a lot of there's a lot of things that need to happen uh on the communication front during an incident. uh you don't communicate with your tech teams the way that you're going to communicate with your end users, with your customers, um with various categories of people that you might have to interact with and talk to about the incident. So,

>> yeah. So, so, so basically what what we've seen when we when when we're playing this is that compared to an to to a I guess an ordinary tabletop, people are acting a lot different because they laugh. They laugh a lot, right? And that's good because when people are immersed and when when they're having when they're having fun, they immerse. And when they immerse, they forget their egos. They forget >> some of those negative in the traditional tabletop exercise go away. >> Yeah. Just just like just by magic, right? >> So and and there are more in general, but the but the unexpected bonus of doing this are like things like empathy, meaning that It's a role- playinging game, but nobody

says that the role you're playing is a is is the exact same role that you should or are would be playing in in an incident. That means if you are switching roles around, people get an a feeling of how would it be to be another role. And my favorite example is that when you're a very technical person, you tend to think that that's the only thing that matters. But what if you take a person like that and put them into the role of a communication responsible like head of communication? So all of a sudden they get this epiphany that oh this stakeholder management is a freaking [ __ ] show right [laughter] and it and and also and and and you know but

but that's also very very important important part so building empathy meaning that you understand the other people in the team so it will automatically become a better team >> and the the flip side of that too is if you put a you know chief marketing officer in the role of the IT manager they gain an empathy for the pressures that are part of that role that they had never thought about before. Uh so how do you how do you then be that person in the midst of you know crisis or chaos or you know whatever this thing is? >> Yeah. And and also you get a more lifelike situation because when you're sitting around the table talking about

these uh these procedures, it's very easy to not see that one person is actually doing the doing everything. And obviously as we all know in in an incident one person can't do everything. That's just how it is. because this is because this is a game, it allows us to put a structure on it that uh that that otherwise doesn't necessarily exist in the same way. >> Um it it balances some of that imbalance in participation that happens kind of kind of naturally. You get the people that uh that are doing all the things in the in the exercise and you uh the other side of that is you have folks that are afraid to speak up uh or don't want to

speak up for you know insert reason here and that levels that that field a little bit. Yeah. So, um yeah and and that that that is one thing and also we we introduce the 20sided dice and the reason we we do that is to introduce um randomness because in real life and that's not only true in incidents in real life you can do all the right things but the it just doesn't work. And how many times have folks who've been in incidents found that maybe you weren't logging exactly the events you thought you were logging? Maybe your backups aren't as robust as you thought they were or aren't covering the things that that you thought. So

this gives u uh the dice roll gives this this randomness gives us a a more realistic experience. It doesn't just play out how we thought it would. So yeah, well this is um enough J chatter. Hagback is table of exercises the fun the fun uh the fun kind. There's a website there's a QR code that's also totally legit and there's also like a LinkedIn thing promise you can feel free to promise or you feel feel free to follow. So um let's talk about what it actually is. >> Yeah. Um, hackpack is a framework. Um, it is a structure that you can put around a lot of things more than just incident response for example. That just

was the first place that we kind of gravitated to with it. Uh, it seemed the first natural application. Um, but we can do a lot of other things with it too. Um, think about uh, you know, offensive security or you know, use your imagination. Uh you can do basically anything you can imagine with it. >> Yeah. So so we hackag is open source soonish meaning that we we want to open up open it up but we also want it to be in a state where people can use it and we really really hate that writing documentation. So >> takes a little bit of time >> but there but there is a GitHub and it's private and you can be invited if you

join our join our >> you can message us and we can yes our discord which we will show you soon. [clears throat] Uh but yeah but uh let's talk let's talk more about what it can be used for. Uh so this is why you will see that it this is actually or this is truly the security universal security power tool that um you didn't know you needed because these are just examples and it's all about getting the right idea and I know and one and one thing I do know is the security folks are really good at getting more or less good ideas but at least ideas so I'm sure that you'll can find you you can find even more good

things that we have good applications that we have the first thing is abstractify which is a middlely a madeup word but uh [laughter] if the point is that you you can use it to to to explain concepts that is a bit that otherwise is a bit hard to explain for zero trust what hell is zero trust anyway anyways I mean I mean it's not like somebody at black hat thinks that products but you can play a game where you are where you are going through a scenario and and not calling it zero trust but actually >> concept steps are built in. >> Yeah. And then and then afterwards you can say, "Whoa, that was zero trust."

And people are like, "Oh, that was zero trust." >> So you've kind of backed your way into an understanding of what zero trust is and what it means. >> Yeah. Or or something as I am user management. It's very very important, but it's also super super boring, right? So So companies that don't have to do, they don't [clears throat] understand why is my ad not good enough? Well, let's play a scenario, right? And then you'll get [ __ ] over because you only have a freaking freaking AD, right? So, and then you learn, right? Or um you can use it to to teach non nontechnical people about security because sales and marketing traditionally they don't know

[ __ ] which is how it is. But obviously you you can also teach them teach them via game. They can know the they can know how it is how is it to be in an incident or how does a hacker think if you just put through the right scenario. They don't need to know all the all the technical stuff because that's the beauty of role playing game. We're just making it up, right? We're just talking about it. So, we can talk it talk about it at a more at a higher level higher level of of abstraction. So, it doesn't have to be all technical jar jargon. You can really have a conversation about conversation about how you would handle

this thing. >> Or you can introduce a non-player character who is actually the technical the technical genius whereas the one who who don't know can then you know spar with this nonplay character and then go through the incident like that or whatever you come up with. And kind of the other side of that too is you can go deeply technical with a a technical team uh using the same focus. It's it's very flexible in that way. >> Yeah. >> Uh you can also use it to to teach teamworks. For instance, a scenario of f where five people are task to break into a building. All the five people have they're good at various skills. They can

they can each carry two things that are different. So obviously it's a game about hacking and entering but it's also a game about teamwork because if you can't work together then you can't pass the game. >> No one person can do everything. So >> yeah or or marketing events you you can you if you can use it to as a sort of a lightweight puck I guess you can call you you can write scenarios about what which services your company does or which products you >> this is where our product might have helped. Yeah. Um or you can use it for a seam events. I've played the thing with Dungeons and Dragons is that it doesn't

really scale very well. You can't have 25 characters in a game then it would take 14 days >> many many many hours more than [clears throat] you have more than you more than you have attention at the very least. But but [laughter] if you divide people into groups so that instead of a person a group is a is is a character or you can put people into groups and then they can discuss what's what should which character do next. Then you can try to scale it. I've done that I said with with up to 25 people you can probably scale more. Who knows? I haven't tried that yet. And you can use it to talk about real events. You can

talk about you can use it to communicate how did our team handle this and that event. This is one thing is writing a report about that breach or whatever, but that doesn't make them make the make people feel how was it really. So you can you can also use that as an extension of reports of >> and I've done a number of games and scenarios over the years based on real things that have happened. Uh let's live through that. You could also do famous events. Um how about like stuckset for example? How did that play out? You can use this to you know to play that. So [snorts] yeah, as I said the the possibilities are are l are literally

endless just you just need the right idea. So um be beyond beyond the instant response you know that's one thing but um uh you know that that that is like classic defense response to ongoing attacks offensive security like real red team operations penetration testing scenarios. Um or defensive security you can um do proactive threat hunting security architecture design attack and defense you can have like two teams playing against each other in the same scenario in a ransomware west scenario where one is the attacker one is the defender one is one one is a group one is the company and both have to do have to do stakeholder management for instance and the part of the game is negotiating

ransom >> or purple team and cooperative >> yeah yeah or or or you can put on top of of of of of a private team exercise if you also want to train the whole crisis management part of something going specific in your infrastructure. Uh and our newest idea or newest project. Yeah, sorry I forgot one thing. We can also do hybrid scenarios. We can also do risk assessments. Um >> again, you get back into some of those those more abstract concepts that uh if you don't work in them or haven't worked in them, you may not understand. >> Yeah. And and you know, everybody or at least the mo all of the technical people I know, they really really hate risk

management. I and I get it because it's it can be it can be extreme. It's usually really really boring. But if it's if but if you take a rich management scenario say we are in the Star Wars universe we have risk as in the death star one can be beat that waiter who in here wouldn't play that game [laughter] right but in but in reality we are we we we're [ __ ] with you so we we we're trying to teach risk management without you without you even realizing >> right so that's one thing and our newest project is called Mware and Monsters that's that's a collaboration with uh with Mel They um they made um for all malwares

they so sorry I'm from Europe so as a malware so if I if you don't understand then just think malware >> malware >> malware all right anyways they uh for all for all malwares they they've created like a like a a Pokemon character they're called mmons mware monsters and uh I was I was approached by them earlier this year and they asked me if I could do like a game with them, a game with those mo moments. So, I've created like a Dungeons and Dragons or we've created a Dungeons and Dragons h Pokemon hybrid kind of games where all p where players collect Pokemon sorry mullmans in their mold decks um the moments evolve if you don't contain them

and um all sorts of other probably recognizable things mechanics. So, not only do you collect the moments, you you also learn about malware malware history, about strains, about containing them because that's what the game is about. And it's a m it's a it's at malware and monsters.com available now. I'm doing a workshop on sorry we are doing a workshop on Saturday about it where we are teaching experienced dragon players and security professionals to play the freaking game. where >> in a in a malware in a malware village but unfortunately the uh is over sign [laughter] but uh anyway come come to us if if you want to learn more uh we can probably arrange something at some point we are

we also trying to build a community around that so um yep but uh let's let's talk about more let's talk more specifically about the instant response edition of hackback >> yeah um so we We find it the the most natural place to gravitate to to begin with being incident response. You hit the um so it's run by an incident master or dungeon master. Uh at least that's the theory. Uh but this person has the same role as a dungeon master. It is about facilitating the incident. It's about moving it uh moving it along, being the the referee and telling the story. >> Um >> Yeah. Yeah. Know and and also adjusting the difficulty because the whole

objective of the game is for people to go through it and learn. They don't learn anything if they just roll one all the time and they're stuck, >> right? >> If they just fail or just successful, >> they also learn they also don't learn anything if they just rule 20 all the time and everything works. So the instant master is you're automatically trying to, you know, make it just the right amount of hard. >> So there's there's a fair bit of thinking on your feet and adapting and anybody who's been a dungeon master for uh a role playing game or similar understands that. So [clears throat] >> yeah, >> um this is this trains a team with broad

skills. Um, it can also be used for depth, but we find the the better application for it is in the breadth of skills. Um, having a character who's a CFO, what what role do they play in an incident? Well, I mean, they they have to sign off on, you know, things that are purchased. Um, maybe this whole happen this whole thing happened because of something they didn't sign off on before. Uh, so there's a role of the CFO. There's, you know, communications manager. How do you manage the communications in an incident? Who are you communicating with? Who's who is important to communicate with? The messaging isn't going to be the same. And I think uh that's often uh

overlooked sometimes, all of the the the effort and nuance that goes into that. Um we have >> [clears throat] >> uh your your typical technical incident responders. They have a role in this too. Um, and really you can build a scenario uh for your audience that covers any any need or any any objective. When you when you want somebody to expand skills in a certain direction, you just put a character in there. They don't have to play themselves, they play a character. Um, the one of the things to keep in mind about a character too is you have to help help your players get into character a little bit. Um, and we have some interesting ways to do that and I

think we talk about that more later, but uh, whenever there's an action, you roll in a d20. Is it a an easy, medium, or hard thing? We can adjust the role based on that. Um, that's our randomness again that we were talking about earlier. Um there's not everything is going to go according to plan as happens in an incident. >> Yeah. >> Um we we like open-ended scenarios. We like things that are maybe start extremely vague or abstract or there's a lot of uncertainty at the beginning because think about the the alerts that you might get that start an incident. Well, we know something happened. What was it? Now we've got to go figure it out. And

you can play through and uh and let this unfold in story form. >> Yeah. Just like real life. >> Just like real life. A real investigation. >> Yeah. >> All right. So we have characters. Um these are just examples. Uh again the the sky's is the limit. um CISOs, IT admins, CFOs, marketing managers, middle managers, GRC analysts. Um they all have modifiers. Some roles may uh may be good at hardware or software or security. Some might be particularly bad at that and might not have any experience at all with it. Some might be extremely likable and get a plus two to likability. Um [laughter] >> or or the opposite >> or the opposite. So talking about which

we also have stereotypical relatable characters because because obviously we need >> we need people who have who haven't seen this before and seen the game before get the characters right away and and and a good way to do that is by using stereot stereotypical characters and my favorite is this Microsoft system architect who is a huge Microsoft salad who really loves everything everything Microsoft and truly believes that the only reason why the Lumia phone fails was because he was ahead of his time. He they he also really really loves Linux. They also have minus two liability [laughter] or the CFO who only thinks about money, right? Because we have all met those people, right? We uh we like to to play

up a few of these like stereotypes and some of these some of these attributes or some of these traits uh because that that is really what lets a player latch on to a character and get into character. You can play up some of these things and immediately start having a good time and and that's what it's all about. That's really why we're here. >> Yeah. >> Alignment. >> Alignment. Yes. um you know your your lawful evil CFO. [laughter] >> Yeah. Yeah. So yeah. So get getting into character can be a little bit hard especially if you don't have Dungeons Dragons experience. But one one way to do it and one way that also effectively break the break the ice is is in the

beginning of the beginning of the game where we ask people to introduce themselves as the character and the smallest thing can make people crack up. I then I played a game at some point where there was this guy who had the like the character of a woman and you know nothing wrong with that or anything but he made a high pitched voice and it was really really stupid but it was freaking hilarious. >> Everybody immediately started laughing and that set the tone for everything else that came after >> because that is where the magic happens. This is where people where where where the ice breaks. This is where people engage >> that laughter switch. >> Yeah. So um yep that's it. This is the

magic. this magic time. All right, let's uh play for a couple of minutes a very very simple scenario but as one big team. So just just to show you how it works. So obviously this this is our company their entire IT infrastructure is is in Azure. Um, it's Friday 4:15. 4:50 because >> because that's when incidents start. >> Exactly. [laughter] Exactly. And we get an alarm from Microsoft Dart or whatever they're called these days. Uh, there's an there's administrator for marketing who logged in and uh they're on vacation also. They log in from Romania. So, what do you do, >> right? Any suggestions? >> Open that up a little bit. >> It's cool. They're doing work remotely,

[laughter] >> dedicated, [laughter] >> but but but but obviously you could look at this from different points. You you can either take a take a technical, look at the logs, what they're doing, block things off. You can call them up. Don't make the Microsoft guy call them. Maybe you should have somebody that's likable call them up and they they may have a better chance of answering while they're on vacation. >> One of my modifiers. >> Well, if you've got plus two liability, you might be the one doing the calling. >> Yeah. [laughter] So, so that's the point that that's also what Glenn meant when he said that in the beginning, we don't know anything. We just know somebody is a vacation day

like that. >> What happened here? Yeah. Maybe it's legitimate. Yeah. >> Maybe it's not. make well it would be really it would if it's legitimate >> it's probably not legitimate >> it would be a really really boring scenario [laughter] >> but in theory we could also play scenarios that nothing is nothing's wrong here nothing to see yada yada >> you just have to figure that out >> that's that's also kind of training but um but yeah that's there there there also other things that you can do with with the with hack with hackbag which I more or less already mentioned so no worries we'll do that little fast. All right, cool. So, um right now everything is in our

private GitHub repo. We'll open source and when it's more usable. It's uh mostly cordo markdown which is basically just markdown orchestration. Uh we have a discord you can join if you want to help out. Sharing is scaring and that's a QR code or you can also just go to discord.d.gg/ GG/hackback >> totes legit. >> It's totally legit because because there Discord logo, right? >> So it can't be it can't be anything else. So yeah, the states we we had plans, right? But um there there were pre-made characters, a couple of scenarios. There are some incident master guidance handouts rules and uh instant incident master handbook is in the works. And uh yeah, we >> just need a little bit of help.

>> Yeah, obviously we we could need some improvement or people trying out or just building the thing and you know, whatever. >> That's kind of where the community comes in. If you guys are interested and want to do some of this yourself, >> uh you will have ideas. we haven't uh you will do amazing things that we haven't thought of yet. So >> yeah, but but we we we definitely have to have the discord kind of dead because it's it is >> our time has been limited sometimes. >> Yeah. Um and uh but but obviously the the plan is to build a community of people helping each other out and spreading the spreading the word of this

stuff. Also I'm from Europe, so we're doing this too. Or you could just insert any compliance frameworks. No, no, no matter what compliance it is, you're probably doing tabletop exercise because you have to. >> Your your requirement to test your IR plans have to happen somehow. >> Yeah. So, basically, you have two options. Either do it the sucky way and make your colleagues hate you or if you do it the fun way and make them love you. So, the red the red pill or the blue pill, right? [laughter] >> So, um yeah. And uh woohoo. Hand high five. >> All right. So you put the QR code back. >> So what >> the QR code that

>> I think we can probably make that happen. >> Uh we can probably >> God damn it. >> We can at least imagine it. >> Yeah. All right. >> Thank you. >> All right. Jesus Christ. Should we move? We're moving on now. Now we're moving on. And then All right. Here we are. Where we are. All right. Yes. And obviously this is the this is the coolest animation you ever do with Google Slides. So yeah, but uh obviously if if if you if if you want to do this stuff and you want want our help, I'm a freelancer by the way, then uh feel free to be to be in touch. And um yeah, if obviously if if you have

inspired you want to do this work, that's cool. If you al also have some decision power, it's even better. But uh anyway, get in touch. We can also help you convince your boss. >> We know we know we know we know things, right? But anyway, thanks and uh [applause] and I said at the beginning the QR code for downloading the slides. We are we are on LinkedIn. We have emails and uh if you have any questions.

>> Thanks. That's awesome. Hello. Testing. Yep. Works >> well. Kind of works. People don't have a >> hard It work. It works. You're like that. >> Oh, I have to eat it. That's the problem. Okay. Thank you, people. Um, thank you. That's awesome. Uh, I guess one question I have is when you're switching people in different roles. Could you talk a little bit more about how you handle that where you put like the marketing manager in charge of a technical role that they don't know anything about? And then the other question I have is why not LAR? like >> you could have gone laring instead of ding. >> Well, >> you're good. You're good. You're good.

>> Um, the way I like to think about putting people in roles is you you still have to know your audience and uh and and understand what a person might be comfortable with. Some players are not going to be comfortable shifting from their dedicated IR role or whatever it may be, uh, technical role into communications director or CEO even. Um, so the personalities have to be okay with that. So you're you're kind of gauging that a little bit. Um, but even then, if you take somebody who's normally a technical incident responder and make them the manager of that team, that still shifts the role a little bit and makes them think about things from a

little bit different angle. And I mean, you can use that as stepping stones to get further out of that and and really broaden the understanding of the roles that exist in an incident response. So, um, that's my two cents on it. >> Yeah. So, so, so I guess the next question is, Glenn, why have you done any laring? >> Um, well, I've [laughter] not historically been a larer. Um, little cosplay now and again, we're hat cosplays John Strand. Um, [laughter] >> yeah, we Well, that that'll be the next edition, I think. >> All right. Wonder here. Microphone coming around. Yeah. >> Sorry. >> Um, very general question, but do you think it is a career added value to

learn how to play Dungeons and Dragons? If I have never never done it in my life, I don't know what the learning curve is. I don't know if it's worth it. I don't know if I'm going to throw the game board to the wall in 30 seconds. Like, will it help? >> Never too late. >> Never too late. But is it worth it investment? Is it worth >> the value add to your life one way or another? >> No. But but but >> career-wise career wise. >> But but but seriously what this is very very simple Dungeons and Dragons. I have >> I have I I I haven't been a Dungeons and Dragons player myself. So it's it's it's

it's not needed really. Also al also because the whole the whole role playing part of it you don't have to be completely roleplaying about it. You can also say, well, they don't want to do this and that, right? Instead of going into the character. So, >> this is this is really supposed to be low barrier to entry. >> So, >> but but but that also means that every once in a while you come into people who have never done you'd bump into people who have never done Dungeon Dragons and they >> they jump into it, right? And they are all in and it's really really amazing. So, so you see the other thing around people that are just naturals.

>> Well, thank you. Um >> Oh, yeah. I wanted Yeah, there there was one to run. >> Yeah, right here. >> Yeah. >> I would say a really big reason as to why it's D and D and not laring is because with D and D you have these awesome math rocks [laughter] with laring. Where are the math rocks? Why can't I roll a d20? >> Yeah, I like the math. Yeah, there there's rock paper scissors, but it's just it's not the same as rolling a d20 or >> rolling a one and having your plan spectacularly fail. >> Yes, >> good plan. Thanks. >> The randomness. >> Yeah. If there's one small thing we could do to help you guys out, what

would that be? Like a little action we could take? >> Well, talk talk about it. Talk to your boss. Talk to your colleagues. Talk to your friends. >> Yeah, join Discord. Yeah. Join Discord.

>> So, I guess half joking question. Whenever you're trying to do this like a I was kind of looking at your site a little bit. Um, are you seeing this as more of kind of like a oneoff thing? Are you trying to set up campaigns or is this adventure rules? >> Yes. [laughter] >> No. Nobody. But it all it all depends on the on the company. Obviously, if you do instant response, which you more or less have to, right? Then why not just do this instead, right? It all it all depends on what what you're trying to achieve with it. >> All right, more questions. >> We'll uh we'll be around tomorrow and uh also on the emails and LinkedIn

and all that. Oh, there's one more. Are you are you actually having these teams take their runbooks and put those into play during this as well? >> We can uh it's not necessarily requirement but uh it's absolutely something on the table. Uh if they want to use their their own plans for their own company or a company very close to theirs. Absolutely. >> Yeah. Yeah. Yeah. But yeah, obviously if if every now and then when we pay with people and they actually remember they have an instant response plan and they say, "Hey, I want to think I want to do my instant response plan." They get plus points. Right. >> Right. I mean I I think that would be

helpful. And I was curious also like if you have done that how much time it actually took in advance like are you helping them establish the gameplay or is that more on the company to do that? Uh we typically op uh op operate as the incident master and run the game, but we are more than happy to teach people how to do it, too. >> Awesome. >> Um yeah, so there's there's an art to it and we've we've learned this art by bumbling around until we got it. So [laughter] we can save the bumbling around. >> Yeah. But that that also means that you could read instant master handbook 20,000 times but if you haven't tried it

it's not the same as doing >> if you don't know about as in master you need to know about security you need to understand the instant the technical aspects of it because if you don't if you if you don't know it don't understand then you can't >> sort of when people >> keep it plausible >> yeah they can't keep it plausible they can't drive the drive the story in the right direction and you also need to think on your feet so so so actually you training is one train is in one thing that you can't get just by reading the book. So, >> so it's a it's a learned skill >> and and also for many companies it's

just easier just to get someone else to get else to do it instead of allocating a lot of time themselves.

>> Yeah, absolutely. >> All right, let's give it up for Claus and Glenn. Thank you. Thank you.