Information Security Practice as a Game of Chess
Ted.Phelps [@] suny [.] edu

Seeing it as a Game
Information security practice (here abbreviated as ISec) is complex and disjoint. But, making an analogy between ISec and a strategic game, such as chess, can help us hold it all together in a single, holistic view. A game analogy is particularly effective here because it underscores one of the fundamental characteristics of information security practice, which is constant vigilance and struggle in a field of power and resistance against continuously shifting threats. A chess or bridge player cannot slap into place whatever he or she wants. That’s what makes it a game. All games, including solitaires, have by design, built-in resistance factors. Most also insert the shifting, complex resistance induced by the opponent. In the same way, maintaining sufficient security (of all kinds) in an organization is an ongoing, competitive, strategic process that takes place in a complex environment with both built-in organizational resistance factors and the resistance induced by the “opponent”—1) the ambient (chronic) threats affecting all comparable organizations in the environment, and 2) the directed (acute) attacks attempted against particular organizations or resources. People who hope to protect their organizations must pour significant amounts of time, thought, energy, and heart into overcoming these forms of resistance. Their struggles are as complex and sometimes as abstract as those seen in tournament play in difficult, intellectual games, such as chess.

The Game Objective
The ISec objective is in part defensive; it seeks to avoid damage to mission-critical information and systems. In chess, defensive strategy is ultimately the protection of one’s own King. Loss of the King defines loss of the game. Defensive strategy ultimately focuses on maintaining the safety, if not the usefulness, of that single piece. Chess strategy is also offensive, of course, aimed at capturing the opponent’s King. ISec strategy is also offensive in seeking the capture of agents that seek us harm. But the objective is also to maintain the health of the institution by managing information and the systems that contain, process, and present that information. Information is like blood. We need to defend against poisoning (lack of integrity) and bleeding (loss of  confidentiality) and stoppage (loss of availability). But we also must work to keep its chemistry well balanced so that we remain, not just alive, but healthy.

The Player
To understand this analogy, one must imagine ISec being handled by one or more people who employ consistent, comprehensive, strategic thinking. In other words, a game needs a player. The people who care about their institution’s risk postures (in any form) and who and make long, continuous, heartfelt attempts to manage that risk are the ones playing this game. They may well be down on the field, like a football player, but they must also sit outside of the battle, like a chess player, taking in a comprehensive view of what is happening everywhere on the board. An ISec player can be anywhere on (or off) the Org Chart. The player’s actions within the organization must be actually exerting an intended influence on the organization’s behavior with information, even if the influence seems small or is just getting started. His or her thinking must seek to be comprehensive, institutional, and strategic. When the player’s mind becomes embedded into an institutional function, it is known as an Information Security Program. Much of the game of ISec in the second phase of its work, is the creation of institutionalized players.

The Arena
ISec as an ongoing strategic process occurs within defined boundaries. There is no security game, for example, applied to the general population. The ISec game requires the definition and limitations of specific domains of responsibility. This is like the arena or board of a specific game. In chess, the arena is the familiar 64-square checkered board, defined as eight ranks and eight files (rows and columns). The board offers a meaningful analogy to the structures (physical, social, political, financial, legal, supervisory, contractual, etc) of the organization. It also offers a meaningful analogy to the major areas in which ISec plays, the “Field of Operations,” such as Information, Workforce, Computers, Networks, Products, Services, etc.

The Pieces
Taking a strategic view of ISec reveals it to be a dynamic interplay of (the famous triad) “People, Process, and Technology.” To these famous three, we could add many other dynamics, such as Building, Location, Environment, Philosophy, Culture, Funding, Law, and Morale. These dynamic elements can be seen through the analogy of chess as the six types of pieces that populate the board and create all the action and trouble in a given game. Unlike checkers, where each piece is identical in shape, name, position, and capability, chess provides each player with 16 pieces distributed in six types: a King, a Queen, two Bishops, two Rooks, two Knights, and eight Pawns. The richness of the game derives from the pieces’ differences in shape, position, and capability. Capability is mostly expressed as the way the piece can move across the board and how it can defeat another piece. So, to what functions in ISec would we equate each of these six types of chess pieces? There is no single answer to that. Indeed, it would be good for each ISec player to take the time to make his or her own mappings as a visualization. The following mapping is just one. Because I have not attempted to describe the powers of the chess pieces except in a minimal way, the value of this mapping to the reader will have to rest largely on his/her own knowledge of chess—which can easily surpass my own.

In Part 2, Ted explains the different roles the pieces represent. 

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.