Abstract:
With the rise of the Information Age, there has also been a growing rate of attacks
targeting information. In order to better defend against these attacks being able to
understand attackers and simulate their behaviour is of utmost importance. A recent
approach of using serious games provides an avenue to explore o ensive cyber attacks
in a safe and fun environment. There exists a wide range of cyber attackers, with
varying levels of expertise whose motivations are di erent. This project provides a
novel contribution in using games to allow people to role play as malicious attackers
and then using these games as inputs into the simulation.
A board game has been designed that emulates a cyber environment, where
players represent o ensive actors, with seven roles - Cyber Mercenary (low and
high capability), State-backed (low and high capability), Script Kiddy, Hacktivist
and Counter-culture (not motivated by nances or ideology). The facilitator or the
Games Master (GM) represents the organisation under attack, and players use the
Technique cards to perform attacks on the organisation, all cards are sourced from
existing Tools, Techniques and Procedures (TTPs). Along with the game, players
also provided responses to a questionnaire, that encapsulated three individual dif ferences: Sneider's self-report, DOSPERT and Barratt's Impulsiveness scale. There
was a total of 15 players participating in 13 games, and three key groups of individual
di erences players. No correlation was identi ed with the individual Technique card
pick rate and role. However, the complexity of the attack patterns (Technique card
chains) was modulated by roles, and the players' individual di erences.
A proof-of-concept simulation has been made using an Agent-Based Modelling
framework that re-plays the actions of a player. One of the aspects of future work is the exploitation of the game data to be used as a learning model to create intelligent
standalone agents.