Adversary Personas


Difficulty Level:

Design Phase:

Method Overview

Adversary Personas is an improvisational role-playing game designed to help teams think broadly and creatively about their cybersecurity threats.

Framework of ethics used

consequentialist

pragmatist

Method Intentions:

Get Started

Participants: A group of people—preferably people who are working to protect the same resources (e.g. digital networks, company data, etc).

*The game can be played by teams of employees in any organization. It is recommended for groups of between 2-10 people.

Materials Needed: The Adversary Personas game, list of things you want to protect, list of needs of adversaries, list of actions of adversaries to get what they want

Process:

  1. What are you protecting?
    Before starting the game, the group should work together to list out all the things they are protecting. Think broadly. Go beyond sensitive data, and list all that is valuable to your organization, such as clients and customers, the community you share in your work, the security or stability the work provides you and your loved ones. What else? List these on a sheet of paper.
    Optional: Pass around the Impacts cards. Have everyone look through them for inspiration.
  2. Who are your adversaries?
    In the previous step, you listed some of the things you want to protect. But adversaries want things too. They have desires that conflict with yours. What do your adversaries want? What are they going to do to get it?
    Pass around the Motivations deck. When you’ve got the deck, take the top card, and read it out loud in the first person. For example, “I need money. Flesh out this character a little more. For example, “I work for our company, and my rent is going up, and I need to find the extra money somewhere, or my kids and I are going to be priced out of town.”
    Then, say what you are going to do about it. For example, “I need money, and I’m going to skim pennies off of every transaction that comes through our service.”
    You have just described an adversary. Note down a memorable name for him/her. For example, the character described above might be called “the cash-strapped programmer.” This is an adversary persona.
    Tip: Make this process interactive. Once the person with the card gets into character, the group can ask that person questions as if they’re the character. It’s a great way to get your adversary in the room. How often do you get to interview your attackers?”
  3. What do adversaries have at their disposal?
    Distribute all of the Resources cards around the group. Everyone should have a few Resources cards in their hand. With the cards you’re holding, survey the personas you’ve generated. Use them to highlight or challenge your assumptions. For example, were you assuming the lone hacker didn’t have money, or political power? What if they do?
    In some cases, adding an unexpected resource may create a new personas. If they do, note them down and give them a new name.
  4. Who are you most concerned about?
    Pick the top one to three personas you think are most likely for your organization. If you can, act out the attack as if you are that attacker! See if you can create a proof of concept that maps to that attackers’ needs or desires.

Further Reading

Nick Merrill and Joanne Ma. [n.d.]. Adversary Personas. https://daylight.berkeley.edu/adversary-personas/.