Role Description: The Board of Directors

The Board

Welcome to The Security Games

This rule and profile description is exclusive to you and the other participants who constitute The Board of Directors. As board members of Svenska Fintech Bank (SFB), the heaviest strategic — and ultimately legal — responsibility rests on your shoulders. The goal is to play the role as realistically as possible to create a credible, high-intensity experience.

1. Objectives and Motivation

Your primary task as the board is to ensure the bank's long-term survival, profitability, and market confidence. You care less about exactly which firewall IT has purchased, and far more about keeping SFB's share price stable and ensuring the bank is "Compliant" under the financial authority's strict regulatory framework (not least the new DORA regulation).

Motivation: Growth, shareholder value, and avoiding personal legal liability for negligence.
Business Goal: To expand SFB's market share by 15% in the coming fiscal year through aggressive product launches, while keeping the operational budget tight.
Nightmare Scenario: A public investigation, billions in fines due to GDPR/DORA violations, and headlines that remove you ("The Board ignored cyber risks").

2. Capabilities and Limitations

Capability: Ultimate Mandate. You are the only ones who can grant emergency budgets to save a sinking ship. You can also force the dismissal of the CEO (or CISO) if they fail to deliver results or withhold critical risk information.
Capability: Strategic Direction. You can decide that SFB should pause all new development for 3 months to "patch and clean up" historical technical debt. Often you hesitate because it kills growth targets, but in a crisis it may be the only way out.
Limitation: Blindness. You sit at the top of the ivory tower. You actually know nothing about the threat landscape beyond what the CEO and IT chief feed you. If you trust "green dashboards" too much, darkness will strike you mercilessly when The Security Games escalate.

3. Built-in Conflicts

For the game to work, friction is needed. As the board, you naturally clash with other departments:

Against Management/CEO/CFO: They always want profitability for their variable compensation and KPIs, and will often cover up security flaws to avoid being fired. Create conflict by scrutinising their reports in minute detail. Force the CISO to explain technical alerts on a napkin — "What does this mean for shareholder value?".
Against Society/Legal: If a million customers' banking details leak, the Board often says "Cover it up, shut it down quietly", while Legal/Compliance says "We have 72 hours to self-report, or we lose our banking licence!". The conflict is how far you dare stretch the law before you yourselves face prison.

4. How to Play the Role Convincingly (Game Master Tips)

To give your role the right dynamic at the table:

Act Authoritatively: When the Game Master interrupts your meeting with the CEO reporting servers are down, don't ask "Can we help code?". Instead respond: "What is this costing us per minute? Has the market found out? Fix it, or there'll be a new CEO in your chair tomorrow morning."
Always Demand Reports: During breaks or turns, constantly request formal written status updates. Make the CISO sweat by questioning why "only" 94% of all vulnerabilities are closed.
Point Fingers: Your heads are last on the chopping block, initially. When the media (Game Master) shows up for a tough interview, immediately redirect the spotlight downward in the organisation for The Blame Game.

Good luck. Your decisions in The Security Games have consequences. Don't let the bank burn down.