While many people first encounter Role Playing Games through the fantasy genre and Dungeons & Dragons, there are many other games and genres out there and some of them support the concept of hacking.

I’m not talking about hacking the RPG rules to better handle situations the creators never addressed (or addressed poorly). And I’m not talking about hacking a toaster to use it as an incubator for chicken eggs. (Can you even do that?)

I’m really referring to hacking as the compromise of an electronic system like a computer, router, or other digital device. It could be breaking into or crashing a government mainframe, subverting a security camera to loop an image of an empty corridor, or finding out on what level the prisoner is being held so a rescue can be mounted.

The thing is, most of the rules for hacking that I have read just don’t work for me. I have worked in security and IT for over 30 years and the rules I have encountered never felt right.

So, in this article, my intent is to dive a little deeper into the concept of hacking and how it can be approached in an RPG that results in a fun and approachable challenge for the entire group. In future articles I may try to present some RPG-specific rules or suggestions for implementing hacking encounters, but this article is to flesh out the approach.

The Problem with Existing Hacking Rules

In reading the rules for various RPGs – particularly sci-fi and cyberpunk RPGs – I have seen three common approaches:

• Skill Check – The simplest model, a character makes some kind of a Hack check and either succeeds or fails (or succeeds with complications). The hack is over in a few seconds and we’re on to the rest of the adventure or score.
• Complex Hacking Mini-Game – The other extreme of the scale, in this case the Game Master has to design a multi-node environment with various interconnects that the hacking player traverses with numerous skill checks. It’s sort of a dungeon crawl where the tunnels are the network and the rooms are the nodes. This puts a tremendous load on the GM to design a believable encounter and it often includes just a single player while the rest of the party twiddles their thumbs. The player could just be directed to an actual Hack the Box (HTB) or Capture the Flag (CTF) competition.
• Abstracted Mini-Game – This alternative establishes a hacking challenge but then addresses it using something completely unrelated to actually hacking systems. It’s like switching into a game of Wizard’s Chess, with the PC succeeding at the hack challenge if they win this other game. Again, this tends to result in a bunch of players sitting around checking their watches.

For some tables, the above options are completely acceptable and, if you are happy with those, more power to you. If not, though, there are other approaches we can consider. Before developing such an approach, it’s best to consider when a hacking challenge is appropriate so that it can be further developed.

Hacking Scenarios

There are two types of hacking scenarios to consider. The first is when hacking is the primary objective. The players’ goal can be met if they succeed at the hacking challenge.

An example of this type is when the PCs want to steal the sealed court documents about a corrupt politician’s past, with the intention of exposing it, exacting revenge and causing the politician’s downfall. They hack into the system, breaking past security controls, avoiding detection, and exfiltrating the information.

Mission Accomplished.

The second type is when the hack is supporting another mission objective.

In the previous example, if those court documents were physically stored in a filing cabinet, the hacking challenge may involve knocking out the electronic locks on the court’s doors and compromising the security cameras, giving the rest of the team a chance to get in to steal the files. Just succeeding at the hack doesn’t make the entire mission succeed – it just increases the chance of success. Likewise, failing at the hack makes it much harder to succeed, but may not completely nuke the attempt.

Recognizing the two types of scenarios, we now want to drill down one more level and build out a high-level challenge. For this, I think it’s helpful to consider real-world security objectives.

The CIA Triad

In real world cybersecurity, the objectives of a security program are divided into three categories; Confidentiality, Integrity, and Availability. We commonly refer to these as the CIA triad. Trust me, I am not trying to turn you into a cybersecurity professional (unless you want to be, then we can talk). I simply want to use this framework to present an approach to building out your scenario.

Confidentiality

When a person or organization has something they wish to keep secret, they establish one or more security controls – obstacles – to maintain the confidentiality of that data. Other than data that is meant to be shared with the general public, most data has a “need to know” list that determines who can access the data and what they are allowed to do with it.

• The combination to a safe full of money must only be known by the bank’s managers.
• The codes to launch nuclear missiles must be known only to the most senior officials in the military (and even then, an individual may only be granted access to part of the code).
• The secret ingredients in a popular beverage are known only to trusted executives in charge of the supply chain.
• The medical diagnosis of a patient must only be known by the patient, the doctor, and (in the US, at least) the one who pays for the service.

For gaming purposes, is there some kind of data the party wants to acquire, either as the main objective or to support some other objective? The plans to the Death Star were surely marked Top Secret, no?

Integrity

When information is used to make decisions, that information has to be reliable. The concept of integrity is to ensure the information cannot be tampered with. Integrity also applies to systems. If a system is designed to operate in a certain way, it shouldn’t start acting in an unexpected way.

• A security camera must always show an accurate representation as to what is happening in the hallway outside the weapons lab.
• The financial transactions of a commercial entity need to properly reflect sales totals.
• A centrifuge used to separate nuclear materials must only operate within a certain set of parameters.
• A patient record must accurately reflect any allergies the patient has.

Would compromising the integrity of data or a system permit the players to frame an executive for malfeasance or lie to an operator to avoid detection during a heist?

Availability

Availability means that a system or its data is accessible to those who need it when they need it.

• A sales website needs to be running when customers try to access it.
• The security alarms need to be powered on and active when a threat arises.
• The phone line needs to be active (with dial tone) when you have to call for help.
• The EKG machine needs to be working when the heart attack patient is wheeled in.

Do the players want to take down the mega corp mainframe or knock out the power grid for 90 seconds? That tractor beam only has to be off long enough for us to get the ship out of there.

Again, the above isn’t intended to turn you into a security professional. It is intended to provide a way to think about character/party goals and how a hacking challenge can be presented to build your story. With that in mind, we turn to scenario development.

Hacking Scenarios

From a structural point of view, I think the vast majority of hacking scenarios work as a heist. If you aren’t familiar with running heists, I point you to the excellent work of Justin Alexander at the Alexandrian. He presented a number of articles diving into game structure, with a very helpful one on heists.

The main take away is that the majority of the heist takes place up front, in information gathering. We’re going in with a plan, and the plan development has a major impact on our success.

It’s at this point I will introduce another real world resource – the Mitre ATT&CK Framework. Mitre is basically a U.S.-based think tank that provides, among other things, research and guidance on technology and security issues.

The ATT&CK Framework presents a way to break down cyber attacks to understand how attackers attempt to compromise systems and how to defend against them. The framework is far too detailed for one-to-one inclusion in an RPG, but there are some concepts I think are useful and that guide my discussion below.

Reconnaissance

Attacks (hacks) start with Reconnaissance. This is the information gathering process that’s important to any heist or hack attempt.

The players will perform various research tasks to learn more about their target:

• What security measures are in place?
• How good are they?
• Where is the target system or data kept?
• When does the guard shift rotate?

There are lots of different ways to learn what you need. In modern times, you can search through social media posts looking for discussions by employees of the firm and job postings that reveal the technologies in use. It could be a break-in to the company that installed the security system (a mini hack to setup the real hack). This leads me to an important point:

Real hacking is often quite boring and doesn’t actually include heavy computer usage. If you’ve watched Mr Robot, you may have noticed that the vast majority of hacking involves manipulating humans. This could be:

• Deception – to trick the person into giving out confidential information, like the password or the location of the security cameras. Or plugging that infected drive into their computer.
• Persuasion – to convince the person to help you willingly, perhaps for a cut of the profits or to get revenge.
• Intimidation – to threaten the person (or their family, loved ones, etc) so that they give you what you want.

Some of this fits into reconnaissance and some in later phases. It’s actually not necessary to think in phases, such that one thing must be done before the other. This is all to give you the tools to conceptualize a hacking encounter. It doesn’t need to be rigid.

But look at that list again: deception, persuasion, intimidation. Chances are your RPG of choice already has a way to check your success in exercising those skills. That means much of the hacking challenge can be addressed using existing rules, you just need to know how to design the scenario!

Once the information gathering is complete – and the GM should have a general sense of how much of the information is accurate – other skills may be needed to execute the plan. And, to execute the plan, the players may need to develop (or gather) additional resource. In the ATT&CK Framework, this is referred to as Resource Development

Resource Development

Are there things the players can put into place to support their hack and help it be successful? A fake (or stolen) Identification Card to get past the guards? A computer virus-infected thumb drive to establish a connection on the inside?

In the classic movie The Sting, Paul Newman, Robert Redford, and the rest of the crew rent a building to serve as an illicit gambling hall to pull off their operation. Later, when they run into a complication, they temporarily take over a Western Union office to reduce their mark’s suspicions.

In the remake of Ocean’s Eleven, the team builds a fake vault. They acquire an EMP generator. They get casino uniforms.

Once the players have performed their reconnaissance, they should then be encouraged to acquire tools or connections (resource development) that allow them to weaken or overcome the identified controls:

• A fake ID and a stolen (legitimate) password can overcome an otherwise highly secure system, because every system has to allow someone to gain authorized access.
• Stealing the vault combination and disguising yourself as the bank manager will defeat an unbreakable safe.

Initial Access

Players may also consider how they will gain initial access to the target. Perhaps the target uses a third-party security monitoring service that could be easier to target initially, bypassing some of the stronger preventive security measures. That infected drive mentioned earlier, if plugged in, may get you past the initial preventive controls. Breaking into a secure bank vault may be easier if you cut through the wall of the adjoining supermarket rather than deal with all the bank cameras.

All of the examples have players trying to overcome obstacles, so let’s understand those a bit more.

Obstacles: Security Controls

Each obstacle the players face in a hack are, what we call in the industry, Security Controls. They come in a few different varieties, based on what they are designed to do (and you can look a the National Institute of Standards and Technology – NIST – for this approach).

At a very high level, these controls may:

• Prevent access to or damage to an asset
• Detect attempts to access or damage an asset
• Respond to attempts to access or damage an asset
• Recover from a successful (or partially successful) attempt to access or damage an asset.

Assets are simply anything that the target considers valuable. It could be Intellectual Property or Trade Secrets. It could be a manufacturing capability that gives them a competitive advantage over their rivals. It could be the security system that protects other assets.

As you decide what obstacles may be in place, the PCs will need to break through or otherwise circumvent preventive measures, sneak past or disable detective measures, and delay or eliminate responsive and/or recovery measures. Breaking through preventive measures are likely to trigger detection unless the players account for that. A successful detect will trigger a response unless the players account for that.

• Clear cutting the forest around the castle makes it easier to detect an approaching army.
• A moat prevents direct contact with the castle walls.
• A trained militia can organize quickly, fully armed, when a threat appears.
• Engineers, with a pile of timber and tools, can rebuild the gates after they’ve been smashed down.

Each of those obstacles may represent one or more of the security objectives mentioned earlier (CIA).

As you think about introducing a hacking challenge, therefore, consider the players’ goal, determine if there are technical complications that must be overcome, and categorize them as preventive, detective, responsive, and/or recovery. You will also want to consider the strength of the control.

What do I mean by that?

The most critical assets owned by MegaCorp are likely protected by the Cyberdyne Firewall 3000 – a military-grade prevention device – and monitored by a 24×7, multi-cubit AI that can process over one trillion sensor inputs per second. In other words, the prevention and detection controls are top of the line and very difficult to circumvent… without help.

Marjorie Whisper’s private apartments, however, may have a consumer grade camera built into the doorbell and an electronic alarm system monitored by Tony’s Alarm Company. It’s designed to keep out the common street thug, but not top-tier professionals like your players.

Depending upon the game system this is built in, the GM would use existing methods to rank the defensive strength, such as a Difficult Class, Resistance Strength, or some other metric.

At the top of the article, I was critical of the “hacking challenge as a dungeon crawl” metaphor. Or I may have appeared to be. I think it does work if you’re building a complex hacking challenge – but the RPGs generally don’t give you the knowledge on how to structure the challenge. Think about layers of different types of obstacles, each of some resistance strength, between the players and their objective.

There are additional paradigms that can be considered to make this work. One that I really like is the Progress Clock concept from Blades in the Dark. You may also consider the Skill Challenge that was included with the 4th Edition of D&D. You want to be able to track the players’ progress toward achieving their stated goal(s) and account for complications that arise from failed checks.

Let’s collapse that down to an approach you can use.

Putting It All Together

1. Establish the party’s goal and determine if there is an opportunity for a hacking challenge.
2. Decide whether the party’s objective is met with a successful hack or if the hack is just supportive.
3. Identify the asset(s) that will be targeted by the players.
4. Identify the security objectives of the target in protecting the asset(s) using the CIA Triad.
5. Brainstorm ideas of interesting obstacles using: prevent, detect, respond, and recover.
6. Develop difficulty ratings for each obstacle.

It’s usually at this point that the players start performing reconnaissance using existing skills, learning something about the obstacles, and identify ingways to weaken or otherwise overcome them. As skill checks are performed, the GM may dole out positive or negative modifiers to future checks.

For example, if a player attempts to deceive the CEO’s admin assistant trying to gather some intel and fails their roll, the admin may become suspicious and alert security personnel, making future interactions with the organization’s insiders more difficult.

Future Work

There are still things to be added to this approach.

I’d like to expand upon the players’ approach to the scenario – identifying the types of information that should be gathered and the resources developed.

I’d also like to further expand on how to make this a group challenge rather than the lone hacker mini-game. I hope it’s clear that the information gather portion – the majority of the challenge – is very much a team sport.

Finally, I’d like to build out some consequences for those doing the hacking so that it’s not just a “hacker in a van” where failure does not result into character harm.

Conclusion

If you want to bring hacking into your game and are not satisfied with the rules as published in numerous game systems, there are options. By using some concepts related to real life cybersecurity, even a non-techie can develop an interesting scenario that presents challenges for the entire party.