The Spread
Two players flip their cards at the same moment and the numbers do not match. That silent half second before anyone speaks is the game. Same incident, two honest reads, and the distance between them is exactly what you came to look at. Nobody is being difficult: each Lens genuinely saw something the other did not.
This is not a tabletop exercise, a training course, or a threat-modelling session. It is the risk conversation that happens after the kill chain is known, the one that decides what management actually hears.
The deck
Five card types carry the whole game.
How a round feels
1. Seed the incident
Lay out the attack chain. Each step is one round.
2. Take a Lens
Tech reads Likelihood. Business reads Impact.
3. Commit blind
Write your read privately. No pre-declaring your number.
4. Flip and read the spread
Reveal at once. The opposite Lens answers the board in plain language; a neighbour may only help you say it better.
5. Roll the Verdict
One d20, read aloud in a business voice: Funded, Deferred, or Breached.
The two Lenses
The same threat, two readings. Each Lens is handed a private clue the other cannot see, so the disagreement is honest information, not a manufactured argument. Sharing it is how the table gets the full picture.
What you bring
This is not a standalone game, by design. It needs a real chain of events to chew on, and it takes one from wherever you already have it. The interface is small: an Actor, a Target, and an ordered three to four step attack chain.
A real incident you handled
Map the attack chain, seat your technical and business people together, and rehearse the risk explanation before the actual board meeting. The strongest reason the game exists.
Right after a kill-chain tabletop
Finished a game or exercise that resolved into an ordered attack? Run the risk phase on it immediately, with business stakeholders in the room.
Risk-register calibration
Use real targets and actor profiles from your own environment. The blind-commit surfaces where estimates were never actually aligned.
No facilitator required, the deck runs the session. If it does not give you an Actor, a Target, and an ordered chain, it is not a fit.
Play it today. Free to print at home.
Start with the player guide. It walks a cold table through a first session without a facilitator.
RISK GOVERNANCE
How the Risk Deck supports risk governance
| Requirement | What it asks | How the Risk Deck addresses it |
|---|---|---|
| NIS2 Article 20, governance | Management understands and owns cyber risk, not just signs off | Forces security and business to read the same incident and agree how bad it really is |
| Risk communication | Technical and business sides share one view of risk | The blind-commit mechanic surfaces exactly where their estimates diverge |
| Risk-register calibration | Risk estimates are consistent and defensible | Calibrates real targets and actor profiles so estimates stop being guesses |
FAQ
Frequently asked questions
What is the Risk Deck?
Who is it for?
How does it help with governance and NIS2 Article 20?
Is it standalone?
How do we get it?
How long is a session?
Designed by Klaus Agnoletti and Joel Benge. Source and generators on Codeberg. Licensed CC BY-NC-SA 4.0, free to play, share, and adapt for non-commercial use. Commercial use requires a separate license: contact klaus@relationssec.net.
Part of the serious games lineup for security teams.








