Pink Flower
Pink Flower

100,000+

100,000+

potential reach
potential reach

Increasing cyber resilience to a potential audience of over 100,000 education professionals at over 2,500 schools across New Zealand.

8.46 / 10

8.46 / 10

average response for "How valuable?"
average response for "How valuable?"

Teachers rated it highest at 8.73. Across all roles, participants found the game easy to follow (4.54/5) and said it prompted new thinking about their school's cyber readiness (4.32/5).

First-of-its-kind

First-of-its-kind

in New Zealand
in New Zealand

The first cybersecurity tabletop exercise designed specifically for New Zealand schools — bringing an industry-standard format to the education sector for the first time.

70 / 72

70 / 72

schools rated the experience 7 or higher
schools rated the experience 7 or higher

The most valued aspects of the session were discussion and collaboration, with 30+ participants calling out the conversations it sparked across different school roles.

In a nutshell

Client

Client

Ministry of Education

Role

Role

Lead researcher, UX and content designer

Year

Year

2025

Glitch! is a cybersecurity tabletop game created for the Ministry of Education to help school staff across New Zealand prepare for cyber incidents.

Rather than delivering guidance through static policy or training, the project explored how a physical, discussion-led game could build shared understanding, clarify roles, and give non-technical staff confidence to participate meaningfully in a cyber response.

The challenge

Designing for every school.

Glitch! had to make cybersecurity feel relevant, valuable, and actionable for every school in New Zealand, from rural schools with limited infrastructure to large institutions with dedicated IT teams, regardless of technical capability, school size, or prior experience.

The approach

This project was a two-person collaboration with my Head of Creative, who handled the visual direction.

I led the research, content design, and UX: designing the core function of the game, testing and iterating on prototypes, and authoring and refining the majority of game content to ensure the experience was engaging, understandable, and practical for staff at all levels.

The concept

Ideation: The first concept

Our initial ideation explored a traditional game format with points, tokens, and layered mechanics like specific roles with specific skillsets. By making the game fun, education would be approachable.

Mockup of our original proposal, showing a top-down view of what the game would look like in action (Miro)

We also considered the physicality of the game: what makes board games fun?

Having a tactile card element was important to our game for engagement. We started with two types of handheld cards: one for characters, who could represent different roles and skillsets, and a set of Chance cards, which could introduce an element of unpredictability that’s common in cybersecurity incidents.

Character and Chance cards (Miro)

Desktop research: What the industry told us

Unfortunately, desktop research into existing cybersecurity tabletop exercises revealed that industry-standard formats were dry, text-heavy, and assumed significant technical knowledge…but they were realistic, which made them effective for actually planning against a cyber incident.

Our client also flagged that our initial concept didn't align with the industry standard they'd expected — which, combined with our research findings, prompted us to reconsider the concept entirely.

Refining the concept: Stripping it back

With a much clearer idea of the cybersecurity industry’s standard for this kind of activity, we pulled back the complex mechanics of our original idea and redeveloped our concept into a simple, step-by-step, discussion-led game. I developed a structured content framework with discussion questions and best-practice answers.

This led us to a flippable tent-card format, which supported the discussion and pacing of the game by allowing groups to gather around a shared artefact and focus on one scenario step at a time.

To keep the exercise engaging, we kept our Chance Cards as an opportunity to introduce realistic curveballs without overwhelming beginners.

A low-fidelity mockup of our proposed concept, showing mid-gameplay interaction with a timer and scenario progression.

The flippable tent-card format that allowed us to take players through the scenario step-by-step.

A low-fidelity mockup of our proposed concept, showing mid-gameplay interaction with a timer and scenario progression.

The flippable tent-card format that allowed us to take players through the scenario step-by-step.

The research

1:1 usability sessions: Testing with real school staff

I ran remote 1:1 sessions using a high-fidelity digital prototype with principals, teachers, and IT leads. This surfaced where content felt overly technical, scenarios lacked realism, and the flow and timing of the exercise broke down.

🤔 Why digital? — With our budget, in-person testing would have skewed heavily towards large city schools with strong IT capability who needed this game the least. Remote sessions over Zoom let us hear from rural schools, non-technical staff, and roles I wouldn't have accessed otherwise.


Our digital prototype in action.

Observational research: Live conference testing

I then observed gameplay with the physical prototype during two live workshops at an education conference, with over 70 people in groups of 4–5 people.

I learned how different roles engaged in discussion, how a strong facilitator (or lackthereof) could affect momentum, and where ambiguity stalled decision-making. A short paper survey captured perceptions of clarity, value, and ideas for improvements.

My colleague and I attended the conference so we could observe how users would actually play the game.

Our client facilitating the game at an educational conference in Auckland.

The paper prototype tent card format we tested, with 4 Inject cards spread out.

My colleague and I attended the conference so we could observe how users would actually play the game.

Our client facilitating the game at an educational conference in Auckland.

The paper prototype tent card format we tested, with 4 Inject cards spread out.

The insights

Assumption: Good content design could carry the game

If we reduced technical language and made the content clear enough, participants would be able to engage meaningfully regardless of their cybersecurity confidence.

Analysis: No, it can't

The facilitator was doing the game's job. Groups with a strong facilitator thrived: they translated jargon, drew on real school experience, and kept discussion on track. Groups without one experienced flailing discussions and stalled pacing.

Still too much, too technical, too abstract. Starter questions were dense, recommended actions were bloated and too time-consuming to parse mid-game, and scenarios didn't always feel real enough to take seriously.

Synthesis: Build a game anyone can run

Supporting the facilitator role more explicitly — through clearer structure, defined roles, and simpler content — meant the game could work for any group, not just lucky ones.

Our paper surveys allowed us to capture quantitative data alongside qualitative observations.

The changes

The changes

The changes

Clarified scenario flow

"Injects" is standard tabletop terminology. My hypothesis was that using these as the scenario steps would spark curiosity, but it sparked confusion instead. Starter questions were too technically specific, which stalled discussion.

I reworked scenarios into clearly numbered steps and streamlined prompts to reduce cognitive load. Players stopped getting stuck on terminology and started focusing on what they actually knew: who to contact and how to respond.

Before

Before: Each scenario step was called an "Inject", with 3-4 starter discussion questions.

After
Before

Before: Each scenario step was called an "Inject", with 3-4 starter discussion questions.

After

Reframed response guidance

The response guides were meant to give players a practical checklist to measure themselves against. In practice, the technical density made them easy to dismiss mid-game. I replaced them with concise, prioritised actions, a real-life example, and a restructured summary.

Before

A Response Guide (after each step) and a Response Summary (after each scenario) with best practices categorised by capability.

After
Before

A Response Guide (after each step) and a Response Summary (after each scenario) with best practices categorised by capability.

After

Defined roles and instructions

The role of a facilitator was critical to the flow of the game; regardless of their existing cybersecurity knowledge, a strong leader was able to drive deeper discussions.

Rather than hoping for a natural leader, I made the role explicit. I created a dedicated Navigator guide with prompting questions, timing guidance, and group dynamics support so any group could run the game confidently.

Before

Everyone received the same instructions, with a generic "choose a role" instruction.

After
Before

Everyone received the same instructions, with a generic "choose a role" instruction.

After

Clarified scenario flow

"Injects" is standard tabletop terminology. My hypothesis was that using these as the scenario steps would spark curiosity, but it sparked confusion instead. Starter questions were too technically specific, which stalled discussion.

I reworked scenarios into clearly numbered steps and streamlined prompts to reduce cognitive load. Players stopped getting stuck on terminology and started focusing on what they actually knew: who to contact and how to respond.

Before

Before: Each scenario step was called an "Inject", with 3-4 starter discussion questions.

After
Before

Before: Each scenario step was called an "Inject", with 3-4 starter discussion questions.

After

Reframed response guidance

The response guides were meant to give players a practical checklist to measure themselves against. In practice, the technical density made them easy to dismiss mid-game. I replaced them with concise, prioritised actions, a real-life example, and a restructured summary.

Before

A Response Guide (after each step) and a Response Summary (after each scenario) with best practices categorised by capability.

After
Before

A Response Guide (after each step) and a Response Summary (after each scenario) with best practices categorised by capability.

After

Defined roles and instructions

The role of a facilitator was critical to the flow of the game; regardless of their existing cybersecurity knowledge, a strong leader was able to drive deeper discussions.

Rather than hoping for a natural leader, I made the role explicit. I created a dedicated Navigator guide with prompting questions, timing guidance, and group dynamics support so any group could run the game confidently.

Before

Everyone received the same instructions, with a generic "choose a role" instruction.

After
Before

Everyone received the same instructions, with a generic "choose a role" instruction.

After

The retrospective

The outcome: First-of-its-kind

Glitch! launched as a first-of-its-kind cybersecurity tabletop exercise designed specifically for the New Zealand education sector. 70 out of 72 participating schools rated the experience a 7/10 or higher, with users praising how the physical format sparked collaboration across school roles.

🔗 Try the digital version of Glitch yourself!

The takeaway: Research representation vs. realism tradeoffs

Designing a physical game rather than a digital product was a unique challenge, but the biggest learning applies to both: people hate reading. Simplifying the game content at the expense of creating additional supporting materials for the facilitator made it more engaging.

This was hard to catch in remote testing sessions, where we thought the tradeoff of a realistic scenario for audience reach and representation would be worth it. We were lucky to have the live conference testing lined up; even so, if I could do it again I'd pair it with at least one realistic in-person facilitation-focused session earlier in the process.

The impact: AI-assisted research workflows

This project served as the foundation for my featured presentation at UX Auckland (2026), where I demonstrated how leveraging Dovetail for synthesis allowed our two-person team to rapidly generate recommendations in a 4 hour (!) timeframe.

You can view that on this page, or on Youtube.