CAT & Mouse
Better incident response through simulation
Last updated December 2024
Because this website uses a slide presentation embed, it doesn't work well on a mobile device. Please use a device with a larger screen.
About the game
CAT & Mouse is a cybersecurity online training game for small to medium sized teams and organizations, particularly those in the not-for-profit space. Each round of the game simulates a real cyber attack, where players take on the role of either the defenders or attackers. Through playing the game, players will:
-
Learn new ways to defend their organization
-
Reflect on their current cybersecurity practices
-
Understand the importance of planning ahead for cybersecurity
-
Better learn how an attacker thinks
Players do not need to have any previous cybersecurity or technical knowledge to play it, and we highly recommend inviting people from different departments within your organization to participate.
Game requirements
-
Access to a video conferencing tool with breakout rooms (e.g. Zoom with breakout rooms turned on)
-
Facilitators and players:
-
For a small game: 1 game leader + 4 players
-
For a large game: 1 game leader + 4 breakout room facilitators + 4 player teams. Each player team should have 2-5 players (which means there will be 8-20 players total).
-
Time: 60-90 minutes
How to run your own game
The game leader runs the game by sharing their screen (on Zoom or a similar platform) showing players a slide deck. The slides include an introduction to the rules as well as the main game board that the attacks and defenses take place on.
Below we've embedded an annotated version of the slide deck. Slides with a black background will be the ones shown to players. Slides with a white background are only used here to explain the game to game leaders. To read the annotated slides, make sure you use the arrows at the bottom right of the slide to navigate, the ones below the yellow button arrows.
Who should be the game leader?
It helps if the game leader has some knowledge of general cybersecurity practices, so that they are able to explain any concepts or answers that people are unsure about. However, it's not necessary as the game is designed to be self-explanatory.
We also encourage game leaders to:
-
Add their own story and explanations while they are hosting games to spice up the experience for players.
-
Set up a lighthearted atmosphere and remind everyone that this is a fictional simulation.
-
Take a firm stand in making sure the game moves at a brisk pace, and to postpone detailed comments and objections about technicalities to the end.
Optional questions after the game
-
"Were there any situations that made you think about your own organization?"
-
"Was there anything that surprised you?"
-
"The game gives the defenders a year to prepare for the attack. What if the time period was shortened to six months or two weeks?"
-
"For the attack team, how does it feel being on the offense?"
Explaining the game to the breakout room facilitators
Breakout room facilitators have a relatively straightforward role. They need to:
-
Screen share the right PDF to their team once the breakout room starts, and make sure everyone knows how many attacks/defenses they are choosing (it's written on the PDF).
-
Encourage everyone to participate during the breakout room, and make sure their team assigns a notetaker. ("We'll need one notetaker per group. They should write down which attacks you pick. Make sure to include the number assigned to each attack. Later in the game, the notetaker will have to report back on which choices your team made.")
-
Make sure their teams are revealing their answers truthfully later in the game.
We recommend scheduling a one-hour group meeting with your facilitators beforehand to walk them through the slides, do a test run through the game, and to tell them what their tasks are.
Having said that, here are some extra tips to pass on to your facilitators:
-
Attackers receive menus with options that are all relevant to the chosen scenario. Meanwhile, defenders receive menus with options that apply to all three scenarios (in other words, only 6 of the 18 choices relate to the chosen scenario).
-
Each attack maps specifically to one defense. So if you catch players on the defense trying to pick an item to catch multiple attacks, then they are on the wrong track.
-
Defenders often ask whether they are in a hurry or whether they have a lot of time to implement their choices. Remind them that they have a year to prepare for the attack.
-
Attackers have to make 9 choices in 10 minutes, so remember to create a fast-paced atmosphere if you're on the attack team.
Prepare the breakout rooms/teams before the game
-
Assign a team to each of your four breakout room facilitators so that when once the breakout rooms start, they know how to lead them (and which PDF to screen share).
-
Within your video conferencing tool, use the right settings so that the breakout rooms are set up with one facilitator each (and it's not 100% random assignment).
Slides and handouts to start a game
Open this in a new window and screen share it (make sure the screenshare setting is only that window so you don't accidentally share the answers later). You'll also want to make sure that when you screen share that the sound is also shared (here are the instructions for turning it on in Zoom for example).
Once the teams are divided up and in their breakout rooms, make sure the breakout room facilitators download and screen share the appropriate PDF below to their team:
When the attacks start rolling in, here are the answer sheet and the index of injects (make sure you don't accidentally screenshare these pages):
Moving from game to reality...
CAT & Mouse is an introduction to incident response and tabletop exercises within the field of cybersecurity. We hope that the game is pleasureable and is able to wet your appetite for more on this topic. To that end we've included additional resources and further reading below. But before that, while the game is still fresh, think about how to implement what you've just learned from the game and put your learnings into action:
-
Create a security policy
-
Create an incident response plan
-
Test that incident response plan with a tabletop exercise (TTX)
Resources
-
Cybersecurity Assessment Tool: Created by the Ford Foundation, by some of the same people that brought you this game.
-
Backdoors & Breaches: If your team is technically advanced in IT or cybersecurity, the team at Black Hills Information security developed a “dungeons & dragons” type game that helps make tabletop exercises fun.
-
SOAP (Securing Organizations with Automated Policymaking) is a security policy generator that the Ford Foundation Cybersecurity Assessment Tool’s team recommends for making a “security policy”.
About the creators
A team of cybersecurity experts and game designers first created this game for the Ford Foundation in 2021-2022. They designed the game as a follow-up activity to the Cybersecurity Assessment Tool, providing a hands-on way for teams to increase their organizational security knowledge, and as an accompaniment to the session on tabletop exercises.