So, tell me, what’s the worst thing that could happen?

A cooperative card game where your security people and your business people read the same incident, and then have to agree on how bad it really is.

Cooperative card game · 3 to 6 players · Print and play · CC BY-NC-SA 4.0

Risk Deck clue card, back face

The Spread

Two players flip their cards at the same moment and the numbers do not match. That silent half second before anyone speaks is the game. Same incident, two honest reads, and the distance between them is exactly what you came to look at. Nobody is being difficult: each Lens genuinely saw something the other did not.

This is not a tabletop exercise, a training course, or a threat-modelling session. It is the risk conversation that happens after the kill chain is known, the one that decides what management actually hears.

The deck

Five card types carry the whole game.

Risk Deck Actor card

Actor
who is attacking

Risk Deck Target card

Target
what is at risk

Risk Deck Consequence card

Consequence
what landing looks like

Risk Deck Control card

Control
what you spend to stop it, mapped to NIST, ISO and CIS

Risk Deck Boardroom card

Boardroom
the question that forces plain language

How a round feels

1. Seed the incident

Lay out the attack chain. Each step is one round.

2. Take a Lens

Tech reads Likelihood. Business reads Impact.

3. Commit blind

Write your read privately. No pre-declaring your number.

4. Flip and read the spread

Reveal at once. The opposite Lens answers the board in plain language; a neighbour may only help you say it better.

5. Roll the Verdict

One d20, read aloud in a business voice: Funded, Deferred, or Breached.

Risk Deck round flow diagram

No teams. You win or lose as one table, against the scenario.

The two Lenses

Risk Deck Tech Lens clue card

Tech Lens reads Likelihood and exploitability.

Risk Deck Business Lens clue card

Business Lens reads Impact and blast radius.

The same threat, two readings. Each Lens is handed a private clue the other cannot see, so the disagreement is honest information, not a manufactured argument. Sharing it is how the table gets the full picture.

What you bring

This is not a standalone game, by design. It needs a real chain of events to chew on, and it takes one from wherever you already have it. The interface is small: an Actor, a Target, and an ordered three to four step attack chain.

A real incident you handled

Map the attack chain, seat your technical and business people together, and rehearse the risk explanation before the actual board meeting. The strongest reason the game exists.

Right after a kill-chain tabletop

Finished a game or exercise that resolved into an ordered attack? Run the risk phase on it immediately, with business stakeholders in the room.

Risk-register calibration

Use real targets and actor profiles from your own environment. The blind-commit surfaces where estimates were never actually aligned.

No facilitator required, the deck runs the session. If it does not give you an Actor, a Target, and an ordered chain, it is not a fit.

Play it today. Free to print at home.

Start with the player guide. It walks a cold table through a first session without a facilitator.

RISK GOVERNANCE

How the Risk Deck supports risk governance

Requirement What it asks How the Risk Deck addresses it
NIS2 Article 20, governance Management understands and owns cyber risk, not just signs off Forces security and business to read the same incident and agree how bad it really is
Risk communication Technical and business sides share one view of risk The blind-commit mechanic surfaces exactly where their estimates diverge
Risk-register calibration Risk estimates are consistent and defensible Calibrates real targets and actor profiles so estimates stop being guesses

FAQ

Frequently asked questions

What is the Risk Deck?
A cooperative card game where your security people and your business people read the same incident, then have to agree on how bad it really is. The gap between their private estimates is the whole point.
Who is it for?
Mixed tables of technical and business people, 3 to 6 players. It is designed to make security and business practise talking about risk before a real incident forces them to.
How does it help with governance and NIS2 Article 20?
Article 20 expects management to understand and own cyber risk. The Risk Deck gets security and business to reconcile their risk reads out loud, which is the conversation governance depends on.
Is it standalone?
No, by design. It latches onto a real incident or attack chain you bring. Anything that gives you an actor, a target, and an ordered chain can seed a session.
How do we get it?
It is print and play. You can download and print the whole set, licensed CC BY-NC-SA 4.0.
How long is a session?
A cooperative round-based session that fits a workshop slot, scaled to how many steps you put in the chain.

Designed by Klaus Agnoletti and Joel Benge. Source and generators on Codeberg. Licensed CC BY-NC-SA 4.0, free to play, share, and adapt for non-commercial use. Commercial use requires a separate license: contact klaus@relationssec.net.

Part of the serious games lineup for security teams.

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.