Cybersecurity leaders often operate in a world of trade-offs where no option is strictly right or wrong. Security is an infinite game, where “winning” means reducing risk sustainably while maximizing available resources. With this in mind, SANS built Cyber42, a leadership simulation that challenges participants to make the same difficult decisions they will have to make on the job. As in real life, time and resources are in short supply, while difficult decisions, trade-offs, and unexpected challenges are not.
Each version of Cyber42 in the SANS Leadership Curriculum is tailored to reflect scenarios and choices relevant to a specific course. In LDR551TM: Building and Leading Security Operations CentersTM, players assume the role of a new Security Manager tasked with building and managing a security operations center (SOC) at fictional tech company Ops Outpost. We have been working hard on a new Cyber42 release for the SANS LDR551 course which will be available to students starting in Spring 2025. This post describes our approach to building a realistic simulation that embraces ambiguity while enriching the SANS learning experience.
How Cyber42 Works
Cyber42 is fundamentally a decision-making game. Each choice has a cost and may impact your score positively or negatively. In LDR551, scoring is tracked across four dimensions: Prevent, Detect, Respond, and Morale. Players can proactively invest in technical areas to drive a positive score, but building the best technical solution is only part of the objective. Burnout, fatigue, lack of advancement opportunities, and interpersonal conflict can all affect team morale and by extension, the final score.
In each round, participants navigate planned and unplanned decisions—most requiring time and/or money—that impact each of the four dimensions. Each answer is followed by a debrief explaining the outcomes of the player’s decision.
Excelling in all four dimensions results in bonuses but exceeding the allotted time or budget results in steep penalties. The player(s) with the highest aggregate score at the end of the game wins. This sounds simple enough, but designing a realistic simulation using finite game mechanics is no easy task!
Embracing Ambiguity
Unlike other gamified simulations that rely on binary right-or-wrong choices, the Cyber42 approach embraces ambiguity. Participants must weigh competing priorities, such as whether to invest in cutting-edge technology, prioritize training, or enhance automation. Each choice has pros and cons, and success is measured not by selecting a single correct answer but by how well participants balance technical capabilities, team morale, and limited resources. Context, experience, and judgment are key in striking the right balance.
Creating a simulation that feels authentic requires scenarios where every option has merit but also some risk. This means:
- Trade-offs matter: Each decision should have advantages and disadvantages. For example, selecting the most advanced product in one area may provide greater technical capability, but it may also require more human resources to operate.
- Context shapes outcomes: A choice that works well in one situation may backfire in another. For example, outsourcing SOC functions might seem cost-effective but could introduce new risks related to vendor management or lack of dedicated internal staff.
- Uncertainty is a factor: Just as in real life, participants may not have complete information when making decisions, and the expected time or budget for a task may not prove accurate.
- Feedback is key: Participants see the consequences of their choices in a real-time scoreboard and in their aggregate scores over time, reinforcing the idea that security operations is an ongoing process rather than a one-time solution.
Unpredictability, creativity, and feedback are important elements of any gamified experience, and Cyber42 leverages them to great effect to make decisions-making feel more grounded in the real world. The scenarios are designed to spark debate and encourage players determine the best decision under the circumstances, if not always the objectively correct decision. This should sound familiar to anyone operating in a leadership role.
Lessons for Cybersecurity Leaders
You can read more about Cyber42 and the SANS Leadership courses featuring the game here. By immersing students in realistic decision-making scenarios, Cyber42 provides a practical application of leadership concepts. The game’s emphasis on trade-offs, ambiguity, and real-world constraints mirrors the challenges of security professionals outside the classroom.
In the end, Cyber42 isn’t just a game, it’s a hands-on method of promoting balanced, collaborative decision-making skills that every security leader must possess.
