“Watching people play a game is an excellent way to find out what their risk-taking behaviour is like,” explains Dr Oishee Kundu. “How do people react in an imaginary scenario? You can ask whether you would do the same in real life.”

Oishee is one of a team of Bath researchers at the Institute for Digital Security and Behaviour who have created Threats and Trade-offs, a game that that invites players to make business decisions in a complex and dynamic environment.

The game puts you in the shoes of a healthcare technology entrepreneur, tasking you with developing your start-up by balancing growing your business and customer base, and maintaining customer and employee satisfaction.

The biggest obstacle you face? Cyber attacks, which damage your reputation and your balance sheet. However, these risks can be mitigated with a range of countermeasures – provided you invest in them at the right time.

The project's principal investigator, Dr Joanna Syrda, adds:

"Cyber security is important, but where does it sit in your decision-making? You have different competing interests today, but also where does it sit for tomorrow?"

This question isn't merely an abstract one. According to 2024 statistics from the UK government's Department for Science, Innovation & Technology, approximately half of all UK businesses had experienced a a cyber security breach or attack in the previous 12 months. The likelihood of this grew along with the size of the business.

Despite this alarming prevalence, only 51% of the businesses surveyed had taken measures such as risk assessments, staff training or use of security monitoring tools over the past year.

“What we wanted to understand better is how individuals or companies make decisions around investing in cyber security in general, as well as specifically investing in cyber secure hardware,” says Joanna. “These decisions are not made in a vacuum: any company is balancing a lot of competing interests, and budgets and resources are finite.”

Joanna continues:

"If there's no data [available on a topic] you think, 'Oh, we need to run an experiment – but one that is dynamic. We decided to go for a game because of that iterative, multi-round nature, which means we can observe [people] learning."

When faced with a limited cash pot, some players – as in real life – fall victim to the temptation of not spending money on upskilling staff about the dangers of phishing attacks or purchasing multi-factor authentication until an attack has already occurred. By this point, it may be too late to avoid reputational damage.

Players can, also, choose to spend extra in money initial rounds to make their fictive 'product' more resilient from the outset – a costly move that often pays off in the longer term. Through this mechanic, the researchers hope to sow the seeds for a change of heart around the importance of 'security by design'.

"We never pitched this as a cyber security game, although it becomes like that increasingly [as you play], but rather as a business development game," asserts Oishee. "And cyber security is now an increasingly big part of business strategy."

Threats and Trade-offs was initially conceived in 2022 as a physical tabletop game by a research team that also included Dr Kseniya Stsiampkouskaya and Professor Adam Joinson.

It is played cooperatively – with players acting as the board of directors for a tech startup. Gameplay is directed by a facilitator and takes around 45-60 minutes to complete.

Over 2023 and 2024, over 100 players tested the game, providing valuable feedback on user experience and design, and helping the research team observe what worked and what didn't.

For example, cooperative play led to several instances of rule-bending, which practically nullified the scenario of decision-making under constraints. "They didn't pay off their loans, they were side-stepping on regulatory fines – the game was emulating real life much too much!" Joanna mused.

A second edition of Threats and Trade-offs was produced – subtitled 'Competitive Expansion' which enables players to choose between cooperative or competitive modes, and mutual policing in competitive play is expected to help all players adhere to the rules.

To ensure broad accessibility, the researchers have created a free, DIY version for people to print and play at home.

In response to the scale-up problem and also to make game play quick and intuitive, the research team applied for further Actionable Insights funding to create a digital version of the game.

This was developed in 2024, in partnership with Bath-based company Storm Consultancy, co-founded by School of Management alumnus David Kelly.

Try the game for yourself online.

As well as making the game easier to disseminate at scale, the digital version is also generating a wealth of data for Joanna and Oishee to delve into.

Their initial analysis, working with the results from 118 plays of Threats and Trade-offs, has enabled them to divide players into four broad profiles based on their strategy:

• Those who opt to spend less money on a less-secure product at the outset, and then incur significant expense on patching it as they go along
• People who play in a very responsive fashion and end up winning – not necessarily through good decisions, but through sheer agility
• Players who opt to buy into security from the outset, play a safe and steady game, and win without fireworks
• Those who follow a similar path to the first group, but make increasingly bad decisions – eventually crashing and burning entirely

Whatever their learning style, however, all groups have found value in their play:

"Even the online game acts as a conversation starter."

Understanding the differing ways in which people learn and think about cyber security can then help to inform training and interventions going forwards. What's more, the online format enables the research team to tweak parameters within the game to investigate various scenarios and treatments.

“Now we have research results which can inform the project,” says Oishee, “as well as this wider question about how people react to technologies and the decision to invest in security.”

The team hopes that the decision-making environment provided by Threats and Trade-offs will give entrepreneurs the opportunity to test out cyber security strategies and learn from mistakes in a ‘safe’ space.

“We think of this game as something that can be educational – although it is not currently set to teach people about cyber attacks and defences in terms of what protects against what,” explains Joanna. “It's more about learning by doing.”

She concludes:

”It’s about a change of heart. That’s what is important.”

To explore how the game can be used in your business or classroom get in touch by emailing threatstradeoffs@bath.ac.uk.

Threats and Trade-offs was developed as part of Discribe, a £3.5 million research collaboration between the Universities of Bath, Bristol and Cardiff, and Royal Holloway, University of London. The project was funded by UK Research and Innovation (UKRI).

The Discribe hub was led by Professor Adam Joinson, and sought to create a secure digital future by:

• researching social, cultural, regulatory and readiness barriers to adopting new technologies
• fostering collaboration across the digital security spectrum
• developing innovative ways to communicate security risks

Other research outputs from the hub include simulation tools and numerous reports for policymakers.