Skip to content

Card game for better information security

Published: 25 October 2019

When a company is exposed to digital threats and attacks, there can be major consequences. To increase the understanding of digital threats and risks, researchers at Luleå University of Technology have developed a new tool – a card game.

The card game aimes primarily at small and medium-sized companies and the purpose is to help them protect themselves from external attacks. For example, it may be that someone prevents you from accessing your information or that someone unauthorized changes stored data. It can be viruses, ID hijackings or blackmail programs.

– What happens during the course of the game is that the players get a kind of aha experience and begin to understand both risks and security thinking, says Johan Lugnet, Senior Lecturer of Information Systems and project manager for the Cynic project.

Human factor

The game's focus is on linking the individual's role as the weakest link when it comes to security. It is about understanding that technical protection, such as firewalls and virus protection, is not enough if people simultaneously take risks.

– Most people know that we should not click on the link in the email where it says we have inherited several millions. But this type of e-mail is becoming more sophisticated and can look quite accurate, it is becoming increasingly difficult for the recipients to decide what is a threat or an attack, says Johan Lugnet.

Hidden threats

More and more business owners are exposed to IT crime. Part of the problem lies in the fact that the intrusions are not immediately visible. With burglar alarms, protective glass and locked doors you can see that a property is protected against burglary. A technical protection, on the other hand, is not as permanent as crime is constantly changing. Knowledge is required to monitor the systems that will prevent attacks, and when that happens, it is important to take the right countermeasures.

– The most common risks for companies are mainly the neglect of their own employees or consultants, neglect or mistakes of a third party, errors in systems or IT processes or targeted external attacks, says Johan Lugnet.

– There is a need for a substantial dose of doubt and more common sense at an individual level. The card game should inspire and arouse interest in information security. Instead of small and medium-sized companies handing over information security to someone else to take care of, the result will hopefully be increased security awareness in everyday work.

The Cynic project is funded through ERDF INTERREG Nord 2014–2020, which supports cross-border cooperation to strengthen competitiveness and attractiveness in and between northern Sweden, northern Finland, northern Norway and Sápmi. The project is also supported by Region Norrbotten and Lapin Liitto.

This video has been blocked due to your cookie settings.
Accept marketing cookies or watch the video on Youtube.


Johan Lugnet

Johan Lugnet, Senior Lecturer

Phone: +46 (0)920 491201
Organisation: Information systems, Digital Services and Systems, Department of Computer Science, Electrical and Space Engineering