Nick Merrill

Adversary personas

Adversary persona cards

Adversary personas is an improvisational role-playing game to help speculate on threats to sociotechnical systems.

Adversary personas focuses on the who of security—what do your adversaries want, and what are they willing to go through to get it?

Download the cards

You can download the cards [pdf].

Get the cards

If you would like a nicely-printed version of the cards (see above), contact Nick:

ffff at berkeley dot edu

Suggested gameplay

Adversary personas is played in a group---preferably a group of people who are working to protect the same thing.

1. What are you protecting?

Before starting the game, work together to list what you are protecting.

Think broadly! Not just sensitive data, but clients and customers themselves, the community you share in your work, the security or stability the work provides you and your loved ones—what else?

List these on a sheet of paper.

Optional: Pass around the Impacts cards. Have everyone look through them for inspiration.

2. Who are your adversaries?

In the previous step, you listed some of the things you want.

Adversaries want things too. They have desires that conflict with yours.

What do your adversaries want? What are they going to do to get it?

Pass around the Motivations deck. When you've got the deck, take the top card, and read it out loud in the first person. For example, "I need money."

Flesh out the character a little more. For example, "I work for our company, and my rent is going up, and I need to find the extra money somewhere, or my kids and I are going to be priced out of town."

Then, say what you are going to do about it. For example, "I need money, and I'm going to skim pennies off of every transaction that comes through our service."

You have just described an adversary. Note down a memorable name for them. For example, "The cash-strapped programmer." This is an adversary persona.

HINT: Make this interactive. Once the person with the card gets into character, the group can ask that person questions as if they're the character. It's a great way to get your adversary in the room. How often do you get to interview your attackers?

3. What do adversaries have at their dispoal?

Distribute the Resources cards around the group. Everyone should have a few Resources cards in their hand.

With the cards you're holding, survey the personas you've generated. Use them to highlight or challenge your assumptions.

For example, were you assuming the lone hacker didn't have money, or political power? What if they do?

In some cases, adding an unexpected resource may create a new personas. If they do, note them down and give them a new name

4. Who are you most concerned about?

Pick the top one to three personas you think are most likely for your organization. If you can, act out the attack as if you are that attacker!

For more on this step, stay tuned for the next game, Threat Fictions...

About the cards

These cards are inspired by my experience with theatrical improv, by the UX practice of user personas, and by Denning et al's Security Cards, by Hendry et al's Envisioning Cards, and by Elsden et al's Speculative Enactments.

Visual design of the cards by Noura Howell.

Many thanks to Richmond Wong and Emily Witt for their formative tests.