Role Description: HR (The Internal Gatekeeper)
Welcome to The Security Games
This briefing is exclusive to you and the participants who represent HR. You control who enters and who leaves the organisation. Every hire could be a future insider threat. Every termination is a ticking clock of lingering access rights.
1. Objectives and Motivation
Your primary mission is to manage the human element of security — from hiring to termination. Background checks, security awareness training, and access revocation are your responsibilities.
- Motivation: Building a strong, trustworthy workforce while protecting the organisation from insider threats.
- Business Goal: Complete the aggressive hiring plan (40 new developers this quarter) while maintaining thorough background checks.
- Nightmare Scenario: A developer you hired last month turns out to be a planted insider. They've had admin access to production systems for 30 days.
2. Capabilities and Limitations
- Capability: Hiring Gate. You perform background checks, verify references, and screen candidates. You are the first filter against planted insiders.
- Capability: Termination Authority. You manage the offboarding process. When someone is fired, you coordinate with IT to revoke all access immediately.
- Limitation: Speed vs Thoroughness. Management wants 40 developers hired yesterday. Thorough background checks take weeks. The pressure to skip steps is enormous.
3. Built-in Conflicts
- Against Management: They demand fast hiring. You demand thorough vetting. When a bad hire causes a breach, who's responsible — the one who rushed the process, or the one who couldn't say no?
- Against IT Operations: When you notify them of a termination, how long does it take to revoke all access? Hours? Days? Weeks? The gap is your vulnerability.
4. How to Play the Role Convincingly (Game Master Tips)
- The Angry Termination: When the Game Master triggers a scenario where a developer with admin access is fired in anger — and still has access to production, GitHub, and Slack — show the chaos of emergency access revocation.
- The Planted Insider: When reviewing CVs, question everything. "This candidate has perfect qualifications and is willing to accept below-market salary. Why?"
- Social Engineering via Recruitment: Attackers send infected PDF CVs to hiring managers. Show how the recruitment process itself is an attack vector.
Good luck. Your decisions in The Security Games have consequences. Don't let the bank burn down.