About Ocean’s 99
The owner of the Bank of Tokyo has decided to exhibit three world renowned objects. The ‘Star of Africa’, the ‘Jewish Bride’ and a ‘Bugatti 59’. Each of these objects must be transported from their current location to the Tokyo Museum and exhibited for a period of 4 months. Your challenge is to bring the objects to Tokyo, on time, safely and securely, and to have them exhibited for the planned time. Each day too late, will cost money and will harm the image of the bank and the museum.
But, be careful. Ocean’s 99, a criminal organization, is also very interested in the objects… Ocean’s 99 and maybe other unforeseen threats can undermine your plans…welcome to Ocean’s 99 Cyber Security and Cyber Resilience business simulation.
Structure of the simulation
Introduction
The specific learning objectives for your organization will first be introduced. The team members will familiarize themselves with the materials and roles in order to identify who they are during the simulation. Each of the participants will be given a role and a set of responsibilities. The key players are: Bank of Tokyo, Tokyo Museum, Security Officer, Project Manager, IT Support, Transport Manager and the owners of the objects from the Amsterdam Museum, London Museum and Las Vegas.
Security Policy and Risk Assessment
The team will start with an exercise to define the Security Policy of this organization. Together they will agree on strategy, roles & responsibilities and
processes. They will also define the key assets they want to protect. After this the team will perform a Risk Assessment. They will investigate the threats and risks of the Tokyo Museum infrastructure, the Project Managers system to monitor the progress and location of the objects and the systems of the objects owners. The team has a limited budget to invest in advice or tests to analyze the vulnerability of the various systems. As a result, the team can decide to invest in improved systems, software, policy or procedures. The team will design and agree the supporting processes and Cyber Security procedures to be used during the simulation.
Awareness session
When the design work has been completed the team members will prepare themselves for the next phase of the simulation. They must decide what should be part of the awareness campaign and how to organize this.
Moving objects from the museum to the local airport
This is the first round of the simulation in which we will test the team’s design. The team has to move the objects to the local airport. During this round the team will receive a series of realistic Cyber Security events which they must both recognize and deal with. To respond to the events, IT Support has a range of solutions. Some of the solutions may cause delay, others may be expensive to deploy. It is up to the team to find the right balance between the project (opening the exhibition on time) and security (minimizing risks and impact). The scenarios, events and incidents in the game are based upon the most common sets identified in security trend reports and findings to ensure that the learning is both realistic and relevant.
Reflection and improvement
After this first game round the team will capture lessons learned. We will reflect on the 4 P’s. An example of reflection items:
- PEOPLE: awareness & understanding ofpolicy & procedures and the impact ofnot following; communication; feedbackon confronting each other on behavior;knowledge and skills to perform securityrelated activities»
- PROCESS: Were the security policy,processes and procedures fit-for-useand fit-for-purpose; were the proceduresbeing adhered to;»
- PRODUCT: Were security events andincidents detected and recorded, wereproducts used for detection, preventionand recovery;»
- PARTNER: Were all partner and suppliercapabilities in the end-to-end chainaligned;
The actual reflection items and themes can be customized to meet your organization’s specific challenges and learning objectives. Following reflection the team will agree and implement improvements to their Cyber Security and Cyber Resilience capabilities.
Moving the objects from Tokyo Airport to the Tokyo Museum
This is the final round. Again the team will receive a series of events and incidents based on the current security level after having made their improvements and investments in new countermeasures. Then we will hopefully celebrate the opening of the exhibition.
Closure and Lessons Learned
The simulation will finish with lessons learned and actions for day to day work.