Roleplay & social engineering games

Theatre-style exercises where people experience manipulation first-hand. Acting out scenarios makes abstract concepts concrete and builds recognition skills.

Game: Social engineering speed dating (30 minutes)

Setup: Pairs rotate every 3 minutes. One person is attacker, one is target.

Scenarios provided on cards:

  • “Convince them to let you into secure area without badge”

  • “Get their password for ‘security audit’”

  • “Persuade them to click link in suspicious email”

  • “Obtain sensitive company information through casual conversation”

Rules:

  • Attacker uses any psychological tactic

  • Target tries to resist without being rude

  • After 3 minutes, discuss what worked and why

  • Rotate: target becomes attacker, move to new partner

Debrief: Which tactics were most effective? How did it feel to be manipulated? What red flags should we remember?

Game: “Yes, and…” security edition (20 minutes)

Improv theatre game adapted for security awareness.

Rules:

  • Person starts security scenario

  • Next person says “Yes, and…” and makes it worse

  • Continue around circle making increasingly bad security decisions

  • See how absurd it can get

Example chain:

  • Person 1: “I received an email from my bank asking to verify my account”

  • Person 2: “Yes, and I clicked the link even though the sender was actually bank.security-verify.ru”

  • Person 3: “Yes, and I entered my username, password, and social security number”

  • Person 4: “Yes, and I also entered my mother’s maiden name and first pet’s name”

  • Person 5: “Yes, and when it asked for my full card details, I sent a photo of my card front and back”

Learning: Escalation of mistakes, how one bad decision leads to worse ones, absurdity makes it memorable.

Game: Red flag spotting competition (15 minutes)

Setup: Teams compete to identify most security red flags in scenarios.

Materials: Print scenarios or display on screen.

Scenarios include:

  • Email messages (legitimate and phishing mixed)

  • Office photos with security issues

  • Phone call transcripts

  • Text message conversations

Scoring:

  • 1 point for each legitimate red flag identified

  • Minus 1 point for false positives

  • Bonus points for explaining the risk

Example email:

From: IT.Support@company-services.net
Subject: URGENT: Verify Your Account
Dear Valued Employee,
We detected suspicious activity on your account. Click here immediately
to verify your identity or your account will be suspended in 24 hours.
Best Regards,
IT Security Team

Red flags to spot:

  • External domain pretending to be internal

  • Generic greeting

  • Urgency and fear tactics

  • Suspicious link

  • No specific details

  • Grammatical issues

Game: Social engineering theatre (45 minutes)

Setup: Scripted scenarios acted out by volunteers with audience participation.

Scenario 1: The helpful stranger

  • Actor plays lost visitor needing to access building

  • Targets employee for help

  • Uses sympathy, urgency, authority to manipulate entry

  • Audience calls out manipulation tactics as they spot them

  • Replay with correct response

Scenario 2: The urgent phone call

  • Actor calls pretending to be from IT

  • Claims system emergency requiring immediate password

  • Uses technical jargon, urgency, authority

  • Audience votes whether to comply

  • Discuss consequences and correct response

Scenario 3: The CEO email

  • Display email from “CEO” requesting urgent wire transfer

  • Ask what’s suspicious

  • Reveal it’s fraud

  • Discuss verification procedures

Scenario 4: The USB drop

  • Actor “finds” USB drive in parking lot labelled “Salary Information 2024”

  • Debates plugging it in to find owner

  • Audience discusses risks

  • Reveal consequences (malware, data theft)