Adversary persona workshop¶

An adversary persona is a model of who might attack you: their motivations, their capabilities, and the access they plausibly have. It gives the group something concrete to reason about rather than working against an abstract “attacker.”

Like all models, a persona encodes assumptions. The personas a group produces are revealing not only about the adversaries being modelled but about the group itself: who they are willing to imagine attacking them, how sophisticated they believe that adversary to be, and what they are prepared to accept as a realistic threat. A group that consistently produces only external, technically sophisticated adversaries and never produces an insider or a partner organisation is making assumptions worth examining.

The political layer is particularly visible in this exercise. Naming a specific class of adversary can be uncomfortable. “A disgruntled employee with access to the billing system” is a more specific and more useful persona than “an insider threat,” but it requires people to acknowledge something about their own organisation that may feel disloyal or alarmist. The facilitator’s role is to make the room safe enough for honest naming.

The exercise¶

Gather a small group of no more than five or six people. Include someone who knows the system technically, someone who knows how it is used operationally, and if possible someone from outside the immediate team who can ask naive questions.

Pick one system or service to focus on. Keep the scope tight enough that the exercise stays concrete.

Build a persona for a realistic adversary using the template below. Do at least two personas: one external adversary and one insider or near-insider (contractor, former employee, partner with access). The second persona is usually the more uncomfortable and the more useful.

Persona template¶

Name or label: something descriptive rather than generic. “Competitor conducting industrial espionage” is more useful than “external attacker.”

Motivation: what do they want and why? Profit, disruption, revenge, competitive intelligence, ideological goals, curiosity.

Capabilities: what skills, resources, and knowledge do they plausibly have? Be honest about this. Underestimating adversary capability is a model failure with predictable consequences.

Access: what entry points do they realistically have? Consider technical access, social access, physical access, and supply chain access.

Preferred tactics: phishing, insider misuse, supply chain compromise, credential stuffing, social engineering, API abuse. Choose based on the persona’s capabilities and access, not based on what is easiest to defend against.

What to do with the personas¶

Personas that are built and then set aside have not been useful. The persona is the input to the next exercise. At the end of the session, look at your personas and ask: are we missing any realistic adversary? Are we assuming away any uncomfortable ones? The answer to the second question is often more informative than the answer to the first.

Common difficulties¶

Every group eventually produces a persona so sophisticated (nation-state level, unlimited resources) that it becomes useless for planning. If this happens, add a constraint: this adversary has a budget of X, or is not willing to spend more than Y hours on reconnaissance. Constraints make adversaries plannable against.

Groups also sometimes produce only the adversaries they feel capable of defending against. The facilitator can gently push toward the adversary the group finds most uncomfortable. That discomfort is usually pointing at something real.

Related¶

Simulations in practice describes how to run the personas built in this exercise against simulation environments, and how to structure the debrief.