Dungeons & Dragons: The security tool you didn't know you needed

anymore. Um, welcome to my talk. I'll be talking about Dungeon Dragons, which we all love, and uh why uh or how you can actually get to use in your adult job and use that as that as an excuse. So, you know, thank you later. Uh but first, a little bit about me. Um, the worst thing about black pets is that first of all, you can't really take a photo of them. And you manage to do so, nobody can see how damn cute they are. But, uh, I live in Copenhagen along with my with my wife and those two deals. Um, I've been in security since 2004. uh during that time I managed to get good absolutely nothing but also

moderately knowledgeable about a lot of things. So that's my fortune I guess. Um yeah I use I used to do a lot of using security architecture before I became freelancer and yeah and I've always I've always been involved with the community. I've been involved with my local west chapter and in 2019 I co-ounded B Copenhagen. I also quick realized that running a B sites and running it again is not something I'm good at. So I stay down last year. But um yeah, it's it's really great to cut to go at a B size without being the one walk running around having to organize everything. But um yeah, so I went freelancer because I want I want to be able to do

fun stuff and also I figured nobody could nothing could should nothing could possibly go wrong with that. Um good but you know it's life life as an independent um isn't that always hard but usually good. So I mean and also you can get to get your company to pay all all your strips without having to convince them which is cool. And uh there is no reason for you taking any photos of sites because my last site will be a QR code and I promise that QR code is legit legit and it points to my sites. um yeah and about B size Copenhagen uh it's at November it's November 20 November 8th 2025 and CFP close in one week

just saying um but uh last year we had 650 um SMGs three tracks so it's kind of it's kind of like Dublin I guess right let's get let's get back to the real business First I want to talk a little bit about which problem I'm trying to solve by doing this by using um Dungeons and Dragons instead of your ordinary tabletop. I'll also talk a little bit about about theory um how your brain works and um also why role playing games work why in particular role playing games work and then I'll talk a little bit about which is our open source um framework on doing this I'll come back to that so first of all I'm not talking about

gification that is something completely different game learning is where the game is what is the actual learning experience. Game gamification is taking something that's not that that has nothing to do with learning, doesn't have to, and then turn it into into a game basically. Like in who um which department is best at or or who which department answers the really really boring computer is training first get cake. That's that's gification. So yeah, just to get that out of the way. So what's the problem with with training? Well, first of all, usually it's uh it's class based uh and um or computer based which even worse. And before I talk too much about instant response, I want to say that

I'm talking I'm I'm talking about this my own experience and what I heard. You may have excellent people doing excellent in instance monitoring which is engaging and fun and that's perfect but I don't see much of that around so hence my job. So um the problem with with the two first class based training is that they are very intellectual and very theoretical. It's a very theoretical way of training and that's not how instant response work. You need to have this like you need to you need this as muscle memory be something that you do and obviously the way training works in response is obviously using a table doing the tables of exercise of some sort to try and get that to try and get

that muscle memory working but if it's not engaging if people don't really immerse into it then you know what's the point right so u Yeah but yeah, as I said, it's it's all about building muscle memory on incidents. Um, and the way it usually works is that um people tend to think too much about who else is in the room. They think tend to think tend to think too much about their own egos, about finding holes in your scenario, thinking that won't work, all that stuff. Um, yeah. And um the most important thing though is that that usually when usually doing those kind of throwing tabletops is that people really don't engage and fun is almost almost the boot. In my

mind, that's totally wrong. Fun is actually what makes you want to engage and want to do this thing. And um yeah, so um actually of course there is another way and that's what I'll be talking about. To me it all it has always made made sense to combine fun and learning. Um, and it turns out that using that approach, just saying do it because it's fun, uh, may not be totally convincing. So, I had to find some theory that backs this up. So, here um, I'll be quoting some some most studies in the sample report game analog analog game learning as an effective pedical tool with an impact on the learning, cognitive, and psychological levels.

That's from the U media in psychology playing the school table uh which is which is which is a systematic review of um of game based of boards tabletop and other analog game based um learning experience. So in general game based learning is a good approach. That's what science tells us. So, but you know fun and fun fun is serious business and that's another thing that um it may be hard for some companies and some management to understand that fun is actually good but fun is fun is what makes things like this worth worthwhile and you can also have fun and learn at the same time. Fun can be serious. So, there's a bit of a cutter shift

there, I guess. All right. There is something I did I should have fixed. All right. Another quote that that I that I that I made as part of talk mostly because it's fun. Uh I think we're I think we're all pressed by by how stupid humans are. It reads almost every proportions. We're stupid in dozens in dozens of ways, but human minds are plugged into devices. They're not meant to be used alone. They're meant to be used in networks. Games love to do that. They allow us to use collective intelligence and collectively not we're not so stupid because basically um yeah there's an article somewhere by Stanford. The whole point of this is that kids intuitively learn by playing

and by interact in by interacting and using each other's brain and networking their brains and that works perfectly well. But then they start in school and it's all over, right? Then we don't do that anymore. So the whole point is that that that's maybe we should go back and actually think what's good how is the good what is a good way for people to learn. So um there are many ways to do this learning for with others. Um I've chosen to do it with as a team um as a team based learning as role playing games because of you know after real life experience trying it and also because we like games and believe that it's it that it has

potential. So um yeah and role playing game another quote learners and dragons and discuss are placed played in an in an inviting encouraging passionate and intellectually engaged environment play opens towards a truly amazing possibility for learning. So that's a close quote for of an article quoting David Simpkins the professor at the watch is institute of geology an expert on gaming and learning. So um also it turns out the serious people are are actually doing research on Dungeons and Dragons specifically which are amazing right so not not only is gaming good Dungeons and Dragons is all good right here we are and also of course we're geeks I'm g I'm geeky so once again excuse to be Dungeons and Dragons as part your

grown up my grown up and as I you probably will too. So, the thing with with um uh the the thing with old thing is that it's fun. People laugh a lot and um and uh exactly and and um the reason why they do it why they do that is because um I'll I'll talk about that later. When when people laugh and they get immersed into the into the the game, they forget their egos. They forget how to protect or they forget to protect a turf. They forget to fight the scenario. They they basically just in the present, right? And then of course they're more honest. And then obviously in a role playing game people are actually playing ropes. That

also means that you can change the rows around. So in in response scenario or in general if you're very technical you tend to think the only thing that really matters in an instant or an instant handling is a difficult part of it. But if but if you take a person like that and put them into them into role as head communications right where they have to manage other stakeholders all of a sudden they realize well maybe there's other things that are important and that's the whole empathy right that improves the team in general because you if you understand and you respect what everyone else is do then the team just works better and of course

um when um when we do Dungeons and Dragons it's it's more lifelike in the sense that there is a limit to how many actions a person can take then or it must was put in another way one person can't do everything like they may normal in a nonf exercise because there's a number there's a fix number of actions for each character and when those actions gone somebody has to do something it's all right in in that way the load will be more will be more Yeah, that's of course you don't want your instant response to be depending on just one person but that's another story. Um but packback is general framework for simulating any situation open and also

we are trying to open sources meaning that um we we we have things we have all the code in um in a GitHub that's not public because we u haven't gotten around to know to to so to write all the documentation that we want to but it's for use and uh I'll give you the link to our discord working and and that's faxes anymore uh some after this. So So yeah, this is this is a website and and the fancy logo on LinkedIn and also this QR code. So let's talk about what it actually is. And also to set there's a QR code in the in the end. Um using using D dragons for security training is

not just about instant response because if you um as you know if you have been playing D and Dragons is that you can you can basically simulate any kind of situation and the same thing in security. So um what you use it for is what I call de abstractify meaning that you play um play around a subject that is a little bit abstract for instance like I am which is a little bit abstract boring but what if but what but but what what if you play a scenario where you're attack and you have IM or you're not or you don't have IM and then you actually you know get rude over or even talk about zero trust because zero trust who

knows what zero zero trust this anyway, right? Well, why don't why don't you have a scenario where you you're doing those things without calling a serial to trust us then actually get a feeling of what it is without people focusing on the bus of it for instance and also it can be used to teach non-technical personal about security. Um, you can put them in a situation whether whether either hackers or they're defending and without them actually knowing what to do, but uh making making it less making it at a at a higher level of of abstraction because the point is that they need to get a feeling of how what needed in this what security is all that stuff which in turn

makes them better at job. like a sales marketing for instance and also also fight in a a scenario where you are five people that are trying to physically penetrate building. You you each have two two physical tools you can wear you can bring and you're all good at different things. Meaning we it's it's a it's a game about about physical penetr penetration of a building but it's also a game about teamwork, right? because you can't do it if you don't work together as so be marketing when if if you have if you have some security um security product and you want to explain to to users or potential users or buyers that how your works well write a scenario put it in a

game then they'll then they'll then they'll get get better feeling then and and also it's much easier than doing a golf course In theme events, you you can also play this in teams where where each team are figuring or are discussing where which characters should do what next. I've done this with 25 30 people which work which works fine. Um and yeah similarly in real event you you can also use a scenario based around something that you have actually done to convey how you work how your company work and why it matters what you do. So there's a lot of there's a lot of things um there's a lot of things you can do and and as I said it's just a matter of

getting the right idea and and then of course um follow through with that. So hackback is mostly we we're mostly playing it in in the instant response editions because uh instant respond is something something we all have to do. So it's it's it's quite easy to to um uh or rather it's easier to um to explain why you do something that you already doing in a different way rather than explaining why you should do something that you don't do at all first. So in response it work the way it works is that the master runs game like story a story eas and the things and the thing with with with being instant master is that it

takes a lot of skills. You need to know about security. You need to know exactly what's going on on a technical level in the game so that you react to what your players want to do uh and build a story around it that makes sense. Also you need some experience as an as a dungeon master. You need to be able to think and think because there's a lot of things you can do. Obviously, when you design a scenario, you have an idea of in which in which direction the game will go, but it's really up to the player. So, who knows, right? So, you really need to be able to to to take that into into um

into action or integrate it. Uh yeah, when we date we usually play a theme with with broad skills like we have a CMO, CFO, the manager, supporter, my system architect or whatever. It depends a lot on on the scenario what and what makes sense. And then each player has a has a twided dice a D20 and the reason for that is that we want to simulate real life. Sometime in sometimes in an incident you do all real all the right things but it just doesn't work. So you need to be able to to work with that also in real life. Oh and yeah scenarios are opened they can go they can go in any direction

which also but it's also how it works in real life because when you start a scenario you don't really know what's going on. You need to investigate and see where where the story takes you, so to speak.

And also the way it works with the with characters is that they all things that good and bad and their modifiers um or they're called modifiers in the game. uh we we we tend to use the use the to make characters a little bit um a little bit stereotypical in that uh for inance we have Microsoft system architect who is who is really who really love Microsoft who really hate Linux and also they have money to liability because really really annoying and I guess some point we have all maybe met a person like that or a CFO who really only thinks about money and in the beginning of the game we introduces this as that character and that is where

the magic happens that is where people are laughing losing having fun and that's where sort of the whole for date for the entire for the rest of the game um is set up there. So an example scenario um it always it starts on a Friday afternoon because that's where in happens the company has their entire IT infrastructure in Azure and they got they got an alert from Microsoft or whatever they call these days and um basically they're saying that an administrator from marketing logged in and um the weird thing about that is the duplication. So what you do that that's basically you can do a lot of things in a in a situation like that and it's

really up to you what you want to do. You can you can look at a lot you can also maybe get your um get your first level support where who has minus sorry who has plus plus two like ability everybody like them to call out on a vacation and and then then there's a bigger change of them after picking up their phone you can ask them was it you or was it you or you can look at the the logs they locked from China. Oh, that one. So, that wasn't good. So, you can do a lot of things. That's the point. But you also do a lot of other things with hackback. For instance, I had ideas

that you could put a hackback in on top of a curb uh sorry in on top of a P team assignment where you can do some where we can do the actual technical um uh hacks or whatever and then build a management around that and train that. where you can take a um you can do you can do reassessment in a in Star Wars Star Wars scenario where you set in a test star one player can beat Darth Vader and I assure you all of a sudden all the geeks want to learn about reassessment and said there's a lot of other ways you can do it um and um yeah as I said it's all

open source is all in cord markdown sharing is and we have a discord where you can join and ask for access. Um, and it's not exactly where where we want it to be, but um, it's it all it all takes a lot of um, writing and writing takes time and not the most interesting thing to do. So, that's where we are. And also the the good selling point of this is is that if you're doing this too like anyone else or Dora, then you have to do it in smart training. So why not do it in a way so that your colleagues don't hate you, right? Um well, it's all about having fun and learn. And also one more one

last thing of course is that if you want to play with me on this then um feel free to talk to me. I'll happy to help you work get it done. If you have the disin power, that's cool. you don't I'm pretty sure we can find other ways to convince your boss and um thanks. [Applause] I don't know if you I don't know if you if you have time for questions or anything time for questions.

>> All right. Oh, yes. So >> okay. >> Oh um the thing it it's best played around you know five to seven people something like that because else it takes takes too long. There's a I would say there's a cap around of around maybe 3 hours because people can't you know concentrate for for longer than that. So, and and that's basically why I came up with the whole idea of playing a C because then you can scale up that depends on it all on what you want to do with it. [Music] >> Sorry. Yes. >> If it can be used threat modeling. Yeah. Yes. Of course. I mean, it's as I said, it's all a matter of of coming with the

right scenario. So, so you you could depending on on how how realistic you want to do it, you can it depends if you want to you you want to teach the concept of Fred modeling or you want actual Fred Fred modeling of an actual thing that because those two different things but I'm the way see it can be used for for both really. So yeah. So yeah and um I will say that's it. Oh, the last thing, of course, is is that I have ears. They're they're medally and uh colors. And also I have some stickers for my for my B size.